+36 -1

CLAUDE.md

··· 475 475 476 476 Read access: 477 477 - **Public hold** (`HOLD_PUBLIC=true`): Anonymous + all authenticated users 478 478 - - **Private hold** (`HOLD_PUBLIC=false`): Requires authentication + crew membership with blob:read permission 478 478 + - **Private hold** (`HOLD_PUBLIC=false`): Requires authentication + crew membership with blob:read OR blob:write permission 479 479 + - **Note:** `blob:write` implicitly grants `blob:read` access (can't push without pulling) 479 480 480 481 Write access: 481 482 - Hold owner OR crew members with blob:write permission 482 483 - Verified via `io.atcr.hold.crew` records in hold's embedded PDS 484 484 + 485 485 + **Permission Matrix:** 486 486 + 487 487 + | User Type | Public Read | Private Read | Write | Crew Admin | 488 488 + |-----------|-------------|--------------|-------|------------| 489 489 + | Anonymous | Yes | No | No | No | 490 490 + | Owner (captain) | Yes | Yes | Yes | Yes (implied) | 491 491 + | Crew (blob:read only) | Yes | Yes | No | No | 492 492 + | Crew (blob:write only) | Yes | Yes* | Yes | No | 493 493 + | Crew (blob:read + blob:write) | Yes | Yes | Yes | No | 494 494 + | Crew (crew:admin) | Yes | Yes | Yes | Yes | 495 495 + | Authenticated non-crew | Yes | No | No | No | 496 496 + 497 497 + *`blob:write` implicitly grants `blob:read` access 498 498 + 499 499 + **Authorization Error Format:** 500 500 + 501 501 + All authorization failures use consistent structured errors (`pkg/hold/pds/auth.go`): 502 502 + ``` 503 503 + access denied for [action]: [reason] (required: [permission(s)]) 504 504 + ``` 505 505 + 506 506 + Examples: 507 507 + - `access denied for blob:read: user is not a crew member (required: blob:read or blob:write)` 508 508 + - `access denied for blob:write: crew member lacks permission (required: blob:write)` 509 509 + - `access denied for crew:admin: user is not a crew member (required: crew:admin)` 510 510 + 511 511 + **Shared Error Constants** (`pkg/hold/pds/auth.go`): 512 512 + - `ErrMissingAuthHeader` - Missing Authorization header 513 513 + - `ErrInvalidAuthFormat` - Invalid Authorization header format 514 514 + - `ErrInvalidAuthScheme` - Invalid scheme (expected Bearer or DPoP) 515 515 + - `ErrInvalidJWTFormat` - Malformed JWT 516 516 + - `ErrMissingISSClaim` / `ErrMissingSubClaim` - Missing JWT claims 517 517 + - `ErrTokenExpired` - Token has expired 483 518 484 519 **Embedded PDS Endpoints** (`pkg/hold/pds/xrpc.go`): 485 520

+4 -4

Dockerfile.appview

··· 1 1 # Production build for ATCR AppView 2 2 # Result: ~30MB scratch image with static binary 3 3 - FROM docker.io/golang:1.25.2-trixie AS builder 3 3 + FROM docker.io/golang:1.25.4-trixie AS builder 4 4 5 5 ENV DEBIAN_FRONTEND=noninteractive 6 6 ··· 34 34 LABEL org.opencontainers.image.title="ATCR AppView" \ 35 35 org.opencontainers.image.description="ATProto Container Registry - OCI-compliant registry using AT Protocol for manifest storage" \ 36 36 org.opencontainers.image.authors="ATCR Contributors" \ 37 37 - org.opencontainers.image.source="https://tangled.org/@evan.jarrett.net/at-container-registry" \ 38 38 - org.opencontainers.image.documentation="https://tangled.org/@evan.jarrett.net/at-container-registry" \ 37 37 + org.opencontainers.image.source="https://tangled.org/evan.jarrett.net/at-container-registry" \ 38 38 + org.opencontainers.image.documentation="https://tangled.org/evan.jarrett.net/at-container-registry" \ 39 39 org.opencontainers.image.licenses="MIT" \ 40 40 org.opencontainers.image.version="0.1.0" \ 41 41 io.atcr.icon="https://imgs.blue/evan.jarrett.net/1TpTNrRelfloN2emuWZDrWmPT0o93bAjEnozjD6UPgoVV9m4" \ 42 42 - io.atcr.readme="https://tangled.org/@evan.jarrett.net/at-container-registry/raw/main/docs/appview.md" 42 42 + io.atcr.readme="https://tangled.org/evan.jarrett.net/at-container-registry/raw/main/docs/appview.md" 43 43 44 44 ENTRYPOINT ["/atcr-appview"] 45 45 CMD ["serve"]

+1 -1

Dockerfile.dev

··· 1 1 # Development image with Air hot reload 2 2 # Build: docker build -f Dockerfile.dev -t atcr-appview-dev . 3 3 # Run: docker run -v $(pwd):/app -p 5000:5000 atcr-appview-dev 4 4 - FROM docker.io/golang:1.25.2-trixie 4 4 + FROM docker.io/golang:1.25.4-trixie 5 5 6 6 ENV DEBIAN_FRONTEND=noninteractive 7 7

+4 -4

Dockerfile.hold

··· 1 1 - FROM docker.io/golang:1.25.2-trixie AS builder 1 1 + FROM docker.io/golang:1.25.4-trixie AS builder 2 2 3 3 ENV DEBIAN_FRONTEND=noninteractive 4 4 ··· 38 38 LABEL org.opencontainers.image.title="ATCR Hold Service" \ 39 39 org.opencontainers.image.description="ATCR Hold Service - Bring Your Own Storage component for ATCR" \ 40 40 org.opencontainers.image.authors="ATCR Contributors" \ 41 41 - org.opencontainers.image.source="https://tangled.org/@evan.jarrett.net/at-container-registry" \ 42 42 - org.opencontainers.image.documentation="https://tangled.org/@evan.jarrett.net/at-container-registry" \ 41 41 + org.opencontainers.image.source="https://tangled.org/evan.jarrett.net/at-container-registry" \ 42 42 + org.opencontainers.image.documentation="https://tangled.org/evan.jarrett.net/at-container-registry" \ 43 43 org.opencontainers.image.licenses="MIT" \ 44 44 org.opencontainers.image.version="0.1.0" \ 45 45 io.atcr.icon="https://imgs.blue/evan.jarrett.net/1TpTOdtS60GdJWBYEqtK22y688jajbQ9a5kbYRFtwuqrkBAE" \ 46 46 - io.atcr.readme="https://tangled.org/@evan.jarrett.net/at-container-registry/raw/main/docs/hold.md" 46 46 + io.atcr.readme="https://tangled.org/evan.jarrett.net/at-container-registry/raw/main/docs/hold.md" 47 47 48 48 ENTRYPOINT ["/atcr-hold"]

+32 -57

cmd/appview/serve.go

··· 82 82 slog.Info("Initializing hold health checker", "cache_ttl", cfg.Health.CacheTTL) 83 83 healthChecker := holdhealth.NewChecker(cfg.Health.CacheTTL) 84 84 85 85 - // Initialize README cache 86 86 - slog.Info("Initializing README cache", "cache_ttl", cfg.Health.ReadmeCacheTTL) 87 87 - readmeCache := readme.NewCache(uiDatabase, cfg.Health.ReadmeCacheTTL) 85 85 + // Initialize README fetcher for rendering repo page descriptions 86 86 + readmeFetcher := readme.NewFetcher() 88 87 89 88 // Start background health check worker 90 89 startupDelay := 5 * time.Second // Wait for hold services to start (Docker compose) ··· 151 150 middleware.SetGlobalRefresher(refresher) 152 151 153 152 // Set global database for pull/push metrics tracking 154 154 - metricsDB := db.NewMetricsDB(uiDatabase) 155 155 - middleware.SetGlobalDatabase(metricsDB) 153 153 + middleware.SetGlobalDatabase(uiDatabase) 156 154 157 155 // Create RemoteHoldAuthorizer for hold authorization with caching 158 156 holdAuthorizer := auth.NewRemoteHoldAuthorizer(uiDatabase, testMode) 159 157 middleware.SetGlobalAuthorizer(holdAuthorizer) 160 158 slog.Info("Hold authorizer initialized with database caching") 161 161 - 162 162 - // Set global readme cache for middleware 163 163 - middleware.SetGlobalReadmeCache(readmeCache) 164 164 - slog.Info("README cache initialized for manifest push refresh") 165 159 166 160 // Initialize Jetstream workers (background services before HTTP routes) 167 167 - initializeJetstream(uiDatabase, &cfg.Jetstream, defaultHoldDID, testMode) 161 161 + initializeJetstream(uiDatabase, &cfg.Jetstream, defaultHoldDID, testMode, refresher) 168 162 169 163 // Create main chi router 170 164 mainRouter := chi.NewRouter() ··· 194 188 BaseURL: baseURL, 195 189 DeviceStore: deviceStore, 196 190 HealthChecker: healthChecker, 197 197 - ReadmeCache: readmeCache, 191 191 + ReadmeFetcher: readmeFetcher, 198 192 Templates: uiTemplates, 193 193 + DefaultHoldDID: defaultHoldDID, 199 194 }) 200 195 } 201 196 } ··· 217 212 // Create ATProto client with session provider (uses DoWithSession for DPoP nonce safety) 218 213 client := atproto.NewClientWithSessionProvider(pdsEndpoint, did, refresher) 219 214 220 220 - // Ensure sailor profile exists (creates with default hold if configured) 221 221 - slog.Debug("Ensuring profile exists", "component", "appview/callback", "did", did, "default_hold_did", defaultHoldDID) 222 222 - if err := storage.EnsureProfile(ctx, client, defaultHoldDID); err != nil { 223 223 - slog.Warn("Failed to ensure profile", "component", "appview/callback", "did", did, "error", err) 224 224 - // Continue anyway - profile creation is not critical for avatar fetch 225 225 - } else { 226 226 - slog.Debug("Profile ensured", "component", "appview/callback", "did", did) 227 227 - } 215 215 + // Note: Profile and crew setup now happen automatically via UserContext.EnsureUserSetup() 228 216 229 217 // Fetch user's profile record from PDS (contains blob references) 230 218 profileRecord, err := client.GetProfileRecord(ctx, did) ··· 275 263 return nil // Non-fatal 276 264 } 277 265 278 278 - var holdDID string 279 279 - if profile != nil && profile.DefaultHold != nil && *profile.DefaultHold != "" { 280 280 - defaultHold := *profile.DefaultHold 266 266 + // Migrate profile URL→DID if needed (legacy migration, crew registration now handled by UserContext) 267 267 + if profile != nil && profile.DefaultHold != "" { 281 268 // Check if defaultHold is a URL (needs migration) 282 282 - if strings.HasPrefix(defaultHold, "http://") || strings.HasPrefix(defaultHold, "https://") { 283 283 - slog.Debug("Migrating hold URL to DID", "component", "appview/callback", "did", did, "hold_url", defaultHold) 269 269 + if strings.HasPrefix(profile.DefaultHold, "http://") || strings.HasPrefix(profile.DefaultHold, "https://") { 270 270 + slog.Debug("Migrating hold URL to DID", "component", "appview/callback", "did", did, "hold_url", profile.DefaultHold) 284 271 285 272 // Resolve URL to DID 286 286 - holdDID = atproto.ResolveHoldDIDFromURL(defaultHold) 273 273 + holdDID := atproto.ResolveHoldDIDFromURL(profile.DefaultHold) 287 274 288 275 // Update profile with DID 289 289 - profile.DefaultHold = &holdDID 276 276 + profile.DefaultHold = holdDID 290 277 if err := storage.UpdateProfile(ctx, client, profile); err != nil { 291 278 slog.Warn("Failed to update profile with hold DID", "component", "appview/callback", "did", did, "error", err) 292 279 } else { 293 280 slog.Debug("Updated profile with hold DID", "component", "appview/callback", "hold_did", holdDID) 294 281 } 295 295 - } else { 296 296 - // Already a DID - use it 297 297 - holdDID = defaultHold 298 282 } 299 299 - // Register crew regardless of migration (outside the migration block) 300 300 - // Run in background to avoid blocking OAuth callback if hold is offline 301 301 - // Use background context - don't inherit request context which gets canceled on response 302 302 - slog.Debug("Attempting crew registration", "component", "appview/callback", "did", did, "hold_did", holdDID) 303 303 - go func(client *atproto.Client, refresher *oauth.Refresher, holdDID string) { 304 304 - ctx := context.Background() 305 305 - storage.EnsureCrewMembership(ctx, client, refresher, holdDID) 306 306 - }(client, refresher, holdDID) 307 307 - 308 283 } 309 284 310 285 return nil // All errors are non-fatal, logged for debugging ··· 326 301 ctx := context.Background() 327 302 app := handlers.NewApp(ctx, cfg.Distribution) 328 303 329 329 - // Wrap registry app with auth method extraction middleware 330 330 - // This extracts the auth method from the JWT and stores it in the request context 304 304 + // Wrap registry app with middleware chain: 305 305 + // 1. ExtractAuthMethod - extracts auth method from JWT and stores in context 306 306 + // 2. UserContextMiddleware - builds UserContext with identity, permissions, service tokens 331 307 wrappedApp := middleware.ExtractAuthMethod(app) 308 308 + 309 309 + // Create dependencies for UserContextMiddleware 310 310 + userContextDeps := &auth.Dependencies{ 311 311 + Refresher: refresher, 312 312 + Authorizer: holdAuthorizer, 313 313 + DefaultHoldDID: defaultHoldDID, 314 314 + } 315 315 + wrappedApp = middleware.UserContextMiddleware(userContextDeps)(wrappedApp) 332 316 333 317 // Mount registry at /v2/ 334 318 mainRouter.Handle("/v2/*", wrappedApp) ··· 398 382 399 383 w.Header().Set("Content-Type", "application/json") 400 384 w.Header().Set("Access-Control-Allow-Origin", "*") 385 385 + // Limit caching to allow scope changes to propagate quickly 386 386 + // PDS servers cache client metadata, so short max-age helps with updates 387 387 + w.Header().Set("Cache-Control", "public, max-age=300") 401 388 if err := json.NewEncoder(w).Encode(metadataMap); err != nil { 402 389 http.Error(w, "Failed to encode metadata", http.StatusInternalServerError) 403 390 } ··· 415 402 // Prevents the flood of errors when a stale session is discovered during push 416 403 tokenHandler.SetOAuthSessionValidator(refresher) 417 404 418 418 - // Register token post-auth callback for profile management 419 419 - // This decouples the token package from AppView-specific dependencies 405 405 + // Register token post-auth callback 406 406 + // Note: Profile and crew setup now happen automatically via UserContext.EnsureUserSetup() 420 407 tokenHandler.SetPostAuthCallback(func(ctx context.Context, did, handle, pdsEndpoint, accessToken string) error { 421 408 slog.Debug("Token post-auth callback", "component", "appview/callback", "did", did) 422 422 - 423 423 - // Create ATProto client with validated token 424 424 - atprotoClient := atproto.NewClient(pdsEndpoint, did, accessToken) 425 425 - 426 426 - // Ensure profile exists (will create with default hold if not exists and default is configured) 427 427 - if err := storage.EnsureProfile(ctx, atprotoClient, defaultHoldDID); err != nil { 428 428 - // Log error but don't fail auth - profile management is not critical 429 429 - slog.Warn("Failed to ensure profile", "component", "appview/callback", "did", did, "error", err) 430 430 - } else { 431 431 - slog.Debug("Profile ensured with default hold", "component", "appview/callback", "did", did, "default_hold_did", defaultHoldDID) 432 432 - } 433 433 - 434 434 - return nil // All errors are non-fatal 409 409 + return nil 435 410 }) 436 411 437 412 mainRouter.Get("/auth/token", tokenHandler.ServeHTTP) ··· 520 495 } 521 496 522 497 // initializeJetstream initializes the Jetstream workers for real-time events and backfill 523 523 - func initializeJetstream(database *sql.DB, jetstreamCfg *appview.JetstreamConfig, defaultHoldDID string, testMode bool) { 498 498 + func initializeJetstream(database *sql.DB, jetstreamCfg *appview.JetstreamConfig, defaultHoldDID string, testMode bool, refresher *oauth.Refresher) { 524 499 // Start Jetstream worker 525 500 jetstreamURL := jetstreamCfg.URL 526 501 ··· 544 519 // Get relay endpoint for sync API (defaults to Bluesky's relay) 545 520 relayEndpoint := jetstreamCfg.RelayEndpoint 546 521 547 547 - backfillWorker, err := jetstream.NewBackfillWorker(database, relayEndpoint, defaultHoldDID, testMode) 522 522 + backfillWorker, err := jetstream.NewBackfillWorker(database, relayEndpoint, defaultHoldDID, testMode, refresher) 548 523 if err != nil { 549 524 slog.Warn("Failed to create backfill worker", "component", "jetstream/backfill", "error", err) 550 525 } else {

+84

docs/HOLD_XRPC_ENDPOINTS.md

··· 1 1 + # Hold Service XRPC Endpoints 2 2 + 3 3 + This document lists all XRPC endpoints implemented in the Hold service (`pkg/hold/`). 4 4 + 5 5 + ## PDS Endpoints (`pkg/hold/pds/xrpc.go`) 6 6 + 7 7 + ### Public (No Auth Required) 8 8 + 9 9 + | Endpoint | Method | Description | 10 10 + |----------|--------|-------------| 11 11 + | `/xrpc/_health` | GET | Health check | 12 12 + | `/xrpc/com.atproto.server.describeServer` | GET | Server metadata | 13 13 + | `/xrpc/com.atproto.repo.describeRepo` | GET | Repository information | 14 14 + | `/xrpc/com.atproto.repo.getRecord` | GET | Retrieve a single record | 15 15 + | `/xrpc/com.atproto.repo.listRecords` | GET | List records in a collection (paginated) | 16 16 + | `/xrpc/com.atproto.sync.listRepos` | GET | List all repositories | 17 17 + | `/xrpc/com.atproto.sync.getRecord` | GET | Get record as CAR file | 18 18 + | `/xrpc/com.atproto.sync.getRepo` | GET | Full repository as CAR file | 19 19 + | `/xrpc/com.atproto.sync.getRepoStatus` | GET | Repository hosting status | 20 20 + | `/xrpc/com.atproto.sync.subscribeRepos` | GET | WebSocket firehose | 21 21 + | `/xrpc/com.atproto.identity.resolveHandle` | GET | Resolve handle to DID | 22 22 + | `/xrpc/app.bsky.actor.getProfile` | GET | Get actor profile | 23 23 + | `/xrpc/app.bsky.actor.getProfiles` | GET | Get multiple profiles | 24 24 + | `/.well-known/did.json` | GET | DID document | 25 25 + | `/.well-known/atproto-did` | GET | DID for handle resolution | 26 26 + 27 27 + ### Conditional Auth (based on captain.public) 28 28 + 29 29 + | Endpoint | Method | Description | 30 30 + |----------|--------|-------------| 31 31 + | `/xrpc/com.atproto.sync.getBlob` | GET/HEAD | Get blob (routes OCI vs ATProto) | 32 32 + 33 33 + ### Owner/Crew Admin Required 34 34 + 35 35 + | Endpoint | Method | Description | 36 36 + |----------|--------|-------------| 37 37 + | `/xrpc/com.atproto.repo.deleteRecord` | POST | Delete a record | 38 38 + | `/xrpc/com.atproto.repo.uploadBlob` | POST | Upload ATProto blob | 39 39 + 40 40 + ### DPoP Auth Required 41 41 + 42 42 + | Endpoint | Method | Description | 43 43 + |----------|--------|-------------| 44 44 + | `/xrpc/io.atcr.hold.requestCrew` | POST | Request crew membership | 45 45 + 46 46 + --- 47 47 + 48 48 + ## OCI Multipart Upload Endpoints (`pkg/hold/oci/xrpc.go`) 49 49 + 50 50 + All require `blob:write` permission via service token: 51 51 + 52 52 + | Endpoint | Method | Description | 53 53 + |----------|--------|-------------| 54 54 + | `/xrpc/io.atcr.hold.initiateUpload` | POST | Start multipart upload | 55 55 + | `/xrpc/io.atcr.hold.getPartUploadUrl` | POST | Get presigned URL for part | 56 56 + | `/xrpc/io.atcr.hold.uploadPart` | PUT | Direct buffered part upload | 57 57 + | `/xrpc/io.atcr.hold.completeUpload` | POST | Finalize multipart upload | 58 58 + | `/xrpc/io.atcr.hold.abortUpload` | POST | Cancel multipart upload | 59 59 + | `/xrpc/io.atcr.hold.notifyManifest` | POST | Notify manifest push (creates layer records + optional Bluesky post) | 60 60 + 61 61 + --- 62 62 + 63 63 + ## Standard ATProto Endpoints (excluding io.atcr.hold.*) 64 64 + 65 65 + | Endpoint | 66 66 + |----------| 67 67 + | /xrpc/_health | 68 68 + | /xrpc/com.atproto.server.describeServer | 69 69 + | /xrpc/com.atproto.repo.describeRepo | 70 70 + | /xrpc/com.atproto.repo.getRecord | 71 71 + | /xrpc/com.atproto.repo.listRecords | 72 72 + | /xrpc/com.atproto.repo.deleteRecord | 73 73 + | /xrpc/com.atproto.repo.uploadBlob | 74 74 + | /xrpc/com.atproto.sync.listRepos | 75 75 + | /xrpc/com.atproto.sync.getRecord | 76 76 + | /xrpc/com.atproto.sync.getRepo | 77 77 + | /xrpc/com.atproto.sync.getRepoStatus | 78 78 + | /xrpc/com.atproto.sync.getBlob | 79 79 + | /xrpc/com.atproto.sync.subscribeRepos | 80 80 + | /xrpc/com.atproto.identity.resolveHandle | 81 81 + | /xrpc/app.bsky.actor.getProfile | 82 82 + | /xrpc/app.bsky.actor.getProfiles | 83 83 + | /.well-known/did.json | 84 84 + | /.well-known/atproto-did |

+3 -4

docs/TEST_COVERAGE_GAPS.md

··· 112 112 113 113 **Remaining gaps:** 114 114 - `notifyHoldAboutManifest()` - 0% (background notification, less critical) 115 115 - - `refreshReadmeCache()` - 11.8% (UI feature, lower priority) 116 115 117 116 ## Critical Priority: Core Registry Functionality 118 117 ··· 423 422 424 423 --- 425 424 426 426 - ### 🟡 pkg/appview/readme (16.7% coverage) 425 425 + ### 🟡 pkg/appview/readme (Partial coverage) 427 426 428 428 - README fetching and caching. Less critical but still needs work. 427 427 + README rendering for repo page descriptions. The cache.go was removed as README content is now stored in `io.atcr.repo.page` records and synced via Jetstream. 429 428 430 430 - #### cache.go (0% coverage) 431 429 #### fetcher.go (📊 Partial coverage) 430 430 + - `RenderMarkdown()` - renders repo page description markdown 432 431 433 432 --- 434 433

+399

docs/VALKEY_MIGRATION.md

··· 1 1 + # Analysis: AppView SQL Database Usage 2 2 + 3 3 + ## Overview 4 4 + 5 5 + The AppView uses SQLite with 19 tables. The key finding: **most data is a cache of ATProto records** that could theoretically be rebuilt from users' PDS instances. 6 6 + 7 7 + ## Data Categories 8 8 + 9 9 + ### 1. MUST PERSIST (Local State Only) 10 10 + 11 11 + These tables contain data that **cannot be reconstructed** from external sources: 12 12 + 13 13 + | Table | Purpose | Why It Must Persist | 14 14 + |-------|---------|---------------------| 15 15 + | `oauth_sessions` | OAuth tokens | Refresh tokens are stateful; losing them = users must re-auth | 16 16 + | `ui_sessions` | Web browser sessions | Session continuity for logged-in users | 17 17 + | `devices` | Approved devices + bcrypt secrets | User authorization decisions; secrets are one-way hashed | 18 18 + | `pending_device_auth` | In-flight auth flows | Short-lived (10min) but critical during auth | 19 19 + | `oauth_auth_requests` | OAuth flow state | Short-lived but required for auth completion | 20 20 + | `repository_stats` | Pull/push counts | **Locally tracked metrics** - not stored in ATProto | 21 21 + 22 22 + ### 2. CACHED FROM PDS (Rebuildable) 23 23 + 24 24 + These tables are essentially a **read-through cache** of ATProto data: 25 25 + 26 26 + | Table | Source | ATProto Collection | 27 27 + |-------|--------|-------------------| 28 28 + | `users` | User's PDS profile | `app.bsky.actor.profile` + DID document | 29 29 + | `manifests` | User's PDS | `io.atcr.manifest` records | 30 30 + | `tags` | User's PDS | `io.atcr.tag` records | 31 31 + | `layers` | Derived from manifests | Parsed from manifest content | 32 32 + | `manifest_references` | Derived from manifest lists | Parsed from multi-arch manifests | 33 33 + | `repository_annotations` | Manifest config blob | OCI annotations from config | 34 34 + | `repo_pages` | User's PDS | `io.atcr.repo.page` records | 35 35 + | `stars` | User's PDS | `io.atcr.sailor.star` records (synced via Jetstream) | 36 36 + | `hold_captain_records` | Hold's embedded PDS | `io.atcr.hold.captain` records | 37 37 + | `hold_crew_approvals` | Hold's embedded PDS | `io.atcr.hold.crew` records | 38 38 + | `hold_crew_denials` | Local authorization cache | Could re-check on demand | 39 39 + 40 40 + ### 3. OPERATIONAL 41 41 + 42 42 + | Table | Purpose | 43 43 + |-------|---------| 44 44 + | `schema_migrations` | Migration tracking | 45 45 + | `firehose_cursor` | Jetstream position (can restart from 0) | 46 46 + 47 47 + ## Key Insights 48 48 + 49 49 + ### What's Actually Unique to AppView? 50 50 + 51 51 + 1. **Authentication state** - OAuth sessions, devices, UI sessions 52 52 + 2. **Engagement metrics** - Pull/push counts (locally tracked, not in ATProto) 53 53 + 54 54 + ### What Could Be Eliminated? 55 55 + 56 56 + If ATCR fully embraced the ATProto model: 57 57 + 58 58 + 1. **`users`** - Query PDS on demand (with caching) 59 59 + 2. **`manifests`, `tags`, `layers`** - Query PDS on demand (with caching) 60 60 + 3. **`repository_annotations`** - Fetch manifest config on demand 61 61 + 4. **`repo_pages`** - Query PDS on demand 62 62 + 5. **`hold_*` tables** - Query hold's PDS on demand 63 63 + 64 64 + ### Trade-offs 65 65 + 66 66 + **Current approach (heavy caching):** 67 67 + - Fast queries for UI (search, browse, stats) 68 68 + - Offline resilience (PDS down doesn't break UI) 69 69 + - Complex sync logic (Jetstream consumer, backfill) 70 70 + - State can diverge from source of truth 71 71 + 72 72 + **Lighter approach (query on demand):** 73 73 + - Always fresh data 74 74 + - Simpler codebase (no sync) 75 75 + - Slower queries (network round-trips) 76 76 + - Depends on PDS availability 77 77 + 78 78 + ## Current Limitation: No Cache-Miss Queries 79 79 + 80 80 + **Finding:** There's no "query PDS on cache miss" logic. Users/manifests only enter the DB via: 81 81 + 1. OAuth login (user authenticates) 82 82 + 2. Jetstream events (firehose activity) 83 83 + 84 84 + **Problem:** If someone visits `atcr.io/alice/myapp` before alice is indexed → 404 85 85 + 86 86 + **Where this happens:** 87 87 + - `pkg/appview/handlers/repository.go:50-53`: If `db.GetUserByDID()` returns nil → 404 88 88 + - No fallback to `atproto.Client.ListRecords()` or similar 89 89 + 90 90 + **This matters for Valkey migration:** If cache is ephemeral and restarts clear it, you need cache-miss logic to repopulate on demand. Otherwise: 91 91 + - Restart Valkey → all users/manifests gone 92 92 + - Wait for Jetstream to re-index OR implement cache-miss queries 93 93 + 94 94 + **Cache-miss implementation design:** 95 95 + 96 96 + Existing code to reuse: `pkg/appview/jetstream/processor.go:43-97` (`EnsureUser`) 97 97 + 98 98 + ```go 99 99 + // New: pkg/appview/cache/loader.go 100 100 + 101 101 + type Loader struct { 102 102 + cache Cache // Valkey interface 103 103 + client *atproto.Client 104 104 + } 105 105 + 106 106 + // GetUser with cache-miss fallback 107 107 + func (l *Loader) GetUser(ctx context.Context, did string) (*User, error) { 108 108 + // 1. Try cache 109 109 + if user := l.cache.GetUser(did); user != nil { 110 110 + return user, nil 111 111 + } 112 112 + 113 113 + // 2. Cache miss - resolve identity (already queries network) 114 114 + _, handle, pdsEndpoint, err := atproto.ResolveIdentity(ctx, did) 115 115 + if err != nil { 116 116 + return nil, err // User doesn't exist in network 117 117 + } 118 118 + 119 119 + // 3. Fetch profile for avatar 120 120 + client := atproto.NewClient(pdsEndpoint, "", "") 121 121 + profile, _ := client.GetProfileRecord(ctx, did) 122 122 + avatarURL := "" 123 123 + if profile != nil && profile.Avatar != nil { 124 124 + avatarURL = atproto.BlobCDNURL(did, profile.Avatar.Ref.Link) 125 125 + } 126 126 + 127 127 + // 4. Cache and return 128 128 + user := &User{DID: did, Handle: handle, PDSEndpoint: pdsEndpoint, Avatar: avatarURL} 129 129 + l.cache.SetUser(user, 1*time.Hour) 130 130 + return user, nil 131 131 + } 132 132 + 133 133 + // GetManifestsForRepo with cache-miss fallback 134 134 + func (l *Loader) GetManifestsForRepo(ctx context.Context, did, repo string) ([]Manifest, error) { 135 135 + cacheKey := fmt.Sprintf("manifests:%s:%s", did, repo) 136 136 + 137 137 + // 1. Try cache 138 138 + if cached := l.cache.Get(cacheKey); cached != nil { 139 139 + return cached.([]Manifest), nil 140 140 + } 141 141 + 142 142 + // 2. Cache miss - get user's PDS endpoint 143 143 + user, err := l.GetUser(ctx, did) 144 144 + if err != nil { 145 145 + return nil, err 146 146 + } 147 147 + 148 148 + // 3. Query PDS for manifests 149 149 + client := atproto.NewClient(user.PDSEndpoint, "", "") 150 150 + records, _, err := client.ListRecordsForRepo(ctx, did, atproto.ManifestCollection, 100, "") 151 151 + if err != nil { 152 152 + return nil, err 153 153 + } 154 154 + 155 155 + // 4. Filter by repository and parse 156 156 + var manifests []Manifest 157 157 + for _, rec := range records { 158 158 + var m atproto.ManifestRecord 159 159 + if err := json.Unmarshal(rec.Value, &m); err != nil { 160 160 + continue 161 161 + } 162 162 + if m.Repository == repo { 163 163 + manifests = append(manifests, convertManifest(m)) 164 164 + } 165 165 + } 166 166 + 167 167 + // 5. Cache and return 168 168 + l.cache.Set(cacheKey, manifests, 10*time.Minute) 169 169 + return manifests, nil 170 170 + } 171 171 + ``` 172 172 + 173 173 + **Handler changes:** 174 174 + ```go 175 175 + // Before (repository.go:45-53): 176 176 + owner, err := db.GetUserByDID(h.DB, did) 177 177 + if owner == nil { 178 178 + RenderNotFound(w, r, h.Templates, h.RegistryURL) 179 179 + return 180 180 + } 181 181 + 182 182 + // After: 183 183 + owner, err := h.Loader.GetUser(r.Context(), did) 184 184 + if err != nil { 185 185 + RenderNotFound(w, r, h.Templates, h.RegistryURL) 186 186 + return 187 187 + } 188 188 + ``` 189 189 + 190 190 + **Performance considerations:** 191 191 + - Cache hit: ~1ms (Valkey lookup) 192 192 + - Cache miss: ~200-500ms (PDS round-trip) 193 193 + - First request after restart: slower but correct 194 194 + - Jetstream still useful for proactive warming 195 195 + 196 196 + --- 197 197 + 198 198 + ## Proposed Architecture: Valkey + ATProto 199 199 + 200 200 + ### Goal 201 201 + Replace SQLite with Valkey (Redis-compatible) for ephemeral state, push remaining persistent data to ATProto. 202 202 + 203 203 + ### What goes to Valkey (ephemeral, TTL-based) 204 204 + 205 205 + | Current Table | Valkey Key Pattern | TTL | Notes | 206 206 + |---------------|-------------------|-----|-------| 207 207 + | `oauth_sessions` | `oauth:{did}:{session_id}` | 90 days | Lost on restart = re-auth | 208 208 + | `ui_sessions` | `ui:{session_id}` | Session duration | Lost on restart = re-login | 209 209 + | `oauth_auth_requests` | `authreq:{state}` | 10 min | In-flight flows | 210 210 + | `pending_device_auth` | `pending:{device_code}` | 10 min | In-flight flows | 211 211 + | `firehose_cursor` | `cursor:jetstream` | None | Can restart from 0 | 212 212 + | All PDS cache tables | `cache:{collection}:{did}:{rkey}` | 10-60 min | Query PDS on miss | 213 213 + 214 214 + **Benefits:** 215 215 + - Multi-instance ready (shared Valkey) 216 216 + - No schema migrations 217 217 + - Natural TTL expiry 218 218 + - Simpler code (no SQL) 219 219 + 220 220 + ### What could become ATProto records 221 221 + 222 222 + | Current Table | Proposed Collection | Where Stored | Open Questions | 223 223 + |---------------|---------------------|--------------|----------------| 224 224 + | `devices` | `io.atcr.sailor.device` | User's PDS | Privacy: IP, user-agent sensitive? | 225 225 + | `repository_stats` | `io.atcr.repo.stats` | Hold's PDS or User's PDS | Who owns the stats? | 226 226 + 227 227 + **Devices → Valkey:** 228 228 + - Move current device table to Valkey 229 229 + - Key: `device:{did}:{device_id}` → `{name, secret_hash, ip, user_agent, created_at, last_used}` 230 230 + - TTL: Long (1 year?) or no expiry 231 231 + - Device list: `devices:{did}` → Set of device IDs 232 232 + - Secret validation works the same, just different backend 233 233 + 234 234 + **Service auth exploration (future):** 235 235 + The challenge with pure ATProto service auth is the AppView still needs the user's OAuth session to write manifests to their PDS. The current flow: 236 236 + 1. User authenticates via OAuth → AppView gets OAuth tokens 237 237 + 2. AppView issues registry JWT to credential helper 238 238 + 3. Credential helper presents JWT on each push/pull 239 239 + 4. AppView uses OAuth session to write to user's PDS 240 240 + 241 241 + Service auth could work for the hold side (AppView → Hold), but not for the user's OAuth session. 242 242 + 243 243 + **Repository stats → Hold's PDS:** 244 244 + 245 245 + **Challenge discovered:** The hold's `getBlob` endpoint only receives `did` + `cid`, not the repository name. 246 246 + 247 247 + Current flow (`proxy_blob_store.go:358-362`): 248 248 + ```go 249 249 + xrpcURL := fmt.Sprintf("%s%s?did=%s&cid=%s&method=%s", 250 250 + p.holdURL, atproto.SyncGetBlob, p.ctx.DID, dgst.String(), operation) 251 251 + ``` 252 252 + 253 253 + **Implementation options:** 254 254 + 255 255 + **Option A: Add repository parameter to getBlob (recommended)** 256 256 + ```go 257 257 + // Modified AppView call: 258 258 + xrpcURL := fmt.Sprintf("%s%s?did=%s&cid=%s&method=%s&repo=%s", 259 259 + p.holdURL, atproto.SyncGetBlob, p.ctx.DID, dgst.String(), operation, p.ctx.Repository) 260 260 + ``` 261 261 + 262 262 + ```go 263 263 + // Modified hold handler (xrpc.go:969): 264 264 + func (h *XRPCHandler) HandleGetBlob(w http.ResponseWriter, r *http.Request) { 265 265 + did := r.URL.Query().Get("did") 266 266 + cidOrDigest := r.URL.Query().Get("cid") 267 267 + repo := r.URL.Query().Get("repo") // NEW 268 268 + 269 269 + // ... existing blob handling ... 270 270 + 271 271 + // Increment stats if repo provided 272 272 + if repo != "" { 273 273 + go h.pds.IncrementPullCount(did, repo) // Async, non-blocking 274 274 + } 275 275 + } 276 276 + ``` 277 277 + 278 278 + **Stats record structure:** 279 279 + ``` 280 280 + Collection: io.atcr.hold.stats 281 281 + Rkey: base64(did:repository) // Deterministic, unique 282 282 + 283 283 + { 284 284 + "$type": "io.atcr.hold.stats", 285 285 + "did": "did:plc:alice123", 286 286 + "repository": "myapp", 287 287 + "pullCount": 1542, 288 288 + "pushCount": 47, 289 289 + "lastPull": "2025-01-15T...", 290 290 + "lastPush": "2025-01-10T...", 291 291 + "createdAt": "2025-01-01T..." 292 292 + } 293 293 + ``` 294 294 + 295 295 + **Hold-side implementation:** 296 296 + ```go 297 297 + // New file: pkg/hold/pds/stats.go 298 298 + 299 299 + func (p *HoldPDS) IncrementPullCount(ctx context.Context, did, repo string) error { 300 300 + rkey := statsRecordKey(did, repo) 301 301 + 302 302 + // Get or create stats record 303 303 + stats, err := p.GetStatsRecord(ctx, rkey) 304 304 + if err != nil || stats == nil { 305 305 + stats = &atproto.StatsRecord{ 306 306 + Type: atproto.StatsCollection, 307 307 + DID: did, 308 308 + Repository: repo, 309 309 + PullCount: 0, 310 310 + PushCount: 0, 311 311 + CreatedAt: time.Now(), 312 312 + } 313 313 + } 314 314 + 315 315 + // Increment and update 316 316 + stats.PullCount++ 317 317 + stats.LastPull = time.Now() 318 318 + 319 319 + _, err = p.repomgr.UpdateRecord(ctx, p.uid, atproto.StatsCollection, rkey, stats) 320 320 + return err 321 321 + } 322 322 + ``` 323 323 + 324 324 + **Query endpoint (new XRPC):** 325 325 + ``` 326 326 + GET /xrpc/io.atcr.hold.getStats?did={userDID}&repo={repository} 327 327 + → Returns JSON: { pullCount, pushCount, lastPull, lastPush } 328 328 + 329 329 + GET /xrpc/io.atcr.hold.listStats?did={userDID} 330 330 + → Returns all stats for a user across all repos on this hold 331 331 + ``` 332 332 + 333 333 + **AppView aggregation:** 334 334 + ```go 335 335 + func (l *Loader) GetAggregatedStats(ctx context.Context, did, repo string) (*Stats, error) { 336 336 + // 1. Get all holds that have served this repo 337 337 + holdDIDs, _ := l.cache.GetHoldDIDsForRepo(did, repo) 338 338 + 339 339 + // 2. Query each hold for stats 340 340 + var total Stats 341 341 + for _, holdDID := range holdDIDs { 342 342 + holdURL := resolveHoldDID(holdDID) 343 343 + stats, _ := queryHoldStats(ctx, holdURL, did, repo) 344 344 + total.PullCount += stats.PullCount 345 345 + total.PushCount += stats.PushCount 346 346 + } 347 347 + 348 348 + return &total, nil 349 349 + } 350 350 + ``` 351 351 + 352 352 + **Files to modify:** 353 353 + - `pkg/atproto/lexicon.go` - Add `StatsCollection` + `StatsRecord` 354 354 + - `pkg/hold/pds/stats.go` - New file for stats operations 355 355 + - `pkg/hold/pds/xrpc.go` - Add `repo` param to getBlob, add stats endpoints 356 356 + - `pkg/appview/storage/proxy_blob_store.go` - Pass repository to getBlob 357 357 + - `pkg/appview/cache/loader.go` - Aggregation logic 358 358 + 359 359 + ### Migration Path 360 360 + 361 361 + **Phase 1: Add Valkey infrastructure** 362 362 + - Add Valkey client to AppView 363 363 + - Create store interfaces that abstract SQLite vs Valkey 364 364 + - Dual-write OAuth sessions to both 365 365 + 366 366 + **Phase 2: Migrate sessions to Valkey** 367 367 + - OAuth sessions, UI sessions, auth requests, pending device auth 368 368 + - Remove SQLite session tables 369 369 + - Test: restart AppView, users get logged out (acceptable) 370 370 + 371 371 + **Phase 3: Migrate devices to Valkey** 372 372 + - Move device store to Valkey 373 373 + - Same data structure, different backend 374 374 + - Consider device expiry policy 375 375 + 376 376 + **Phase 4: Implement hold-side stats** 377 377 + - Add `io.atcr.hold.stats` collection to hold's embedded PDS 378 378 + - Hold increments stats on blob access 379 379 + - Add XRPC endpoint: `io.atcr.hold.getStats` 380 380 + 381 381 + **Phase 5: AppView stats aggregation** 382 382 + - Track holdDids per repo in Valkey cache 383 383 + - Query holds for stats, aggregate 384 384 + - Cache aggregated stats with TTL 385 385 + 386 386 + **Phase 6: Remove SQLite (optional)** 387 387 + - Keep SQLite as optional cache layer for UI queries 388 388 + - Or: Query PDS on demand with Valkey caching 389 389 + - Jetstream still useful for real-time updates 390 390 + 391 391 + ## Summary Table 392 392 + 393 393 + | Category | Tables | % of Schema | Truly Persistent? | 394 394 + |----------|--------|-------------|-------------------| 395 395 + | Auth & Sessions + Metrics | 6 | 32% | Yes | 396 396 + | PDS Cache | 11 | 58% | No (rebuildable) | 397 397 + | Operational | 2 | 10% | No | 398 398 + 399 399 + **~58% of the database is cached ATProto data that could be rebuilt from PDSes.**

+1 -1

go.mod

··· 1 1 module atcr.io 2 2 3 3 - go 1.25.5 3 3 + go 1.25.4 4 4 5 5 require ( 6 6 github.com/aws/aws-sdk-go v1.55.5

+21

lexicons/io/atcr/authFullApp.json

··· 1 1 + { 2 2 + "lexicon": 1, 3 3 + "id": "io.atcr.authFullApp", 4 4 + "defs": { 5 5 + "main": { 6 6 + "type": "permission-set", 7 7 + "title": "AT Container Registry", 8 8 + "title:langs": {}, 9 9 + "detail": "Push and pull container images to the ATProto Container Registry. Includes creating and managing image manifests, tags, and repository settings.", 10 10 + "detail:langs": {}, 11 11 + "permissions": [ 12 12 + { 13 13 + "type": "permission", 14 14 + "resource": "repo", 15 15 + "action": ["create", "update", "delete"], 16 16 + "collection": ["io.atcr.manifest", "io.atcr.tag", "io.atcr.sailor.star", "io.atcr.sailor.profile", "io.atcr.repo.page"] 17 17 + } 18 18 + ] 19 19 + } 20 20 + } 21 21 + }

+4 -2

lexicons/io/atcr/hold/captain.json

··· 34 34 }, 35 35 "region": { 36 36 "type": "string", 37 37 - "description": "S3 region where blobs are stored" 37 37 + "description": "S3 region where blobs are stored", 38 38 + "maxLength": 64 38 39 }, 39 40 "provider": { 40 41 "type": "string", 41 41 - "description": "Deployment provider (e.g., fly.io, aws, etc.)" 42 42 + "description": "Deployment provider (e.g., fly.io, aws, etc.)", 43 43 + "maxLength": 64 42 44 } 43 45 } 44 46 }

+4 -2

lexicons/io/atcr/hold/crew.json

··· 18 18 "role": { 19 19 "type": "string", 20 20 "description": "Member's role in the hold", 21 21 - "knownValues": ["owner", "admin", "write", "read"] 21 21 + "knownValues": ["owner", "admin", "write", "read"], 22 22 + "maxLength": 32 22 23 }, 23 24 "permissions": { 24 25 "type": "array", 25 26 "description": "Specific permissions granted to this member", 26 27 "items": { 27 27 - "type": "string" 28 28 + "type": "string", 29 29 + "maxLength": 64 28 30 } 29 31 }, 30 32 "addedAt": {

+6 -3

lexicons/io/atcr/hold/layer.json

··· 12 12 "properties": { 13 13 "digest": { 14 14 "type": "string", 15 15 - "description": "Layer digest (e.g., sha256:abc123...)" 15 15 + "description": "Layer digest (e.g., sha256:abc123...)", 16 16 + "maxLength": 128 16 17 }, 17 18 "size": { 18 19 "type": "integer", ··· 20 21 }, 21 22 "mediaType": { 22 23 "type": "string", 23 23 - "description": "Media type (e.g., application/vnd.oci.image.layer.v1.tar+gzip)" 24 24 + "description": "Media type (e.g., application/vnd.oci.image.layer.v1.tar+gzip)", 25 25 + "maxLength": 128 24 26 }, 25 27 "repository": { 26 28 "type": "string", 27 27 - "description": "Repository this layer belongs to" 29 29 + "description": "Repository this layer belongs to", 30 30 + "maxLength": 255 28 31 }, 29 32 "userDid": { 30 33 "type": "string",

+28 -17

lexicons/io/atcr/manifest.json

··· 17 17 }, 18 18 "digest": { 19 19 "type": "string", 20 20 - "description": "Content digest (e.g., 'sha256:abc123...')" 20 20 + "description": "Content digest (e.g., 'sha256:abc123...')", 21 21 + "maxLength": 128 21 22 }, 22 23 "holdDid": { 23 24 "type": "string", ··· 37 38 "application/vnd.docker.distribution.manifest.v2+json", 38 39 "application/vnd.oci.image.index.v1+json", 39 40 "application/vnd.docker.distribution.manifest.list.v2+json" 40 40 - ] 41 41 + ], 42 42 + "maxLength": 128 41 43 }, 42 44 "schemaVersion": { 43 45 "type": "integer", ··· 65 67 "description": "Referenced manifests (for manifest lists/indexes)" 66 68 }, 67 69 "annotations": { 68 68 - "type": "object", 69 69 - "description": "Optional metadata annotations" 70 70 + "type": "unknown", 71 71 + "description": "Optional OCI annotation metadata. Map of string keys to string values (e.g., org.opencontainers.image.title → 'My App')." 70 72 }, 71 73 "subject": { 72 74 "type": "ref", ··· 92 94 "properties": { 93 95 "mediaType": { 94 96 "type": "string", 95 95 - "description": "MIME type of the blob" 97 97 + "description": "MIME type of the blob", 98 98 + "maxLength": 128 96 99 }, 97 100 "size": { 98 101 "type": "integer", ··· 100 103 }, 101 104 "digest": { 102 105 "type": "string", 103 103 - "description": "Content digest (e.g., 'sha256:...')" 106 106 + "description": "Content digest (e.g., 'sha256:...')", 107 107 + "maxLength": 128 104 108 }, 105 109 "urls": { 106 110 "type": "array", ··· 111 115 "description": "Optional direct URLs to blob (for BYOS)" 112 116 }, 113 117 "annotations": { 114 114 - "type": "object", 115 115 - "description": "Optional metadata" 118 118 + "type": "unknown", 119 119 + "description": "Optional OCI annotation metadata. Map of string keys to string values." 116 120 } 117 121 } 118 122 }, ··· 123 127 "properties": { 124 128 "mediaType": { 125 129 "type": "string", 126 126 - "description": "Media type of the referenced manifest" 130 130 + "description": "Media type of the referenced manifest", 131 131 + "maxLength": 128 127 132 }, 128 133 "size": { 129 134 "type": "integer", ··· 131 136 }, 132 137 "digest": { 133 138 "type": "string", 134 134 - "description": "Content digest (e.g., 'sha256:...')" 139 139 + "description": "Content digest (e.g., 'sha256:...')", 140 140 + "maxLength": 128 135 141 }, 136 142 "platform": { 137 143 "type": "ref", ··· 139 145 "description": "Platform information for this manifest" 140 146 }, 141 147 "annotations": { 142 142 - "type": "object", 143 143 - "description": "Optional metadata" 148 148 + "type": "unknown", 149 149 + "description": "Optional OCI annotation metadata. Map of string keys to string values." 144 150 } 145 151 } 146 152 }, ··· 151 157 "properties": { 152 158 "architecture": { 153 159 "type": "string", 154 154 - "description": "CPU architecture (e.g., 'amd64', 'arm64', 'arm')" 160 160 + "description": "CPU architecture (e.g., 'amd64', 'arm64', 'arm')", 161 161 + "maxLength": 32 155 162 }, 156 163 "os": { 157 164 "type": "string", 158 158 - "description": "Operating system (e.g., 'linux', 'windows', 'darwin')" 165 165 + "description": "Operating system (e.g., 'linux', 'windows', 'darwin')", 166 166 + "maxLength": 32 159 167 }, 160 168 "osVersion": { 161 169 "type": "string", 162 162 - "description": "Optional OS version" 170 170 + "description": "Optional OS version", 171 171 + "maxLength": 64 163 172 }, 164 173 "osFeatures": { 165 174 "type": "array", 166 175 "items": { 167 167 - "type": "string" 176 176 + "type": "string", 177 177 + "maxLength": 64 168 178 }, 169 179 "description": "Optional OS features" 170 180 }, 171 181 "variant": { 172 182 "type": "string", 173 173 - "description": "Optional CPU variant (e.g., 'v7' for ARM)" 183 183 + "description": "Optional CPU variant (e.g., 'v7' for ARM)", 184 184 + "maxLength": 32 174 185 } 175 186 } 176 187 }

+43

lexicons/io/atcr/repo/page.json

··· 1 1 + { 2 2 + "lexicon": 1, 3 3 + "id": "io.atcr.repo.page", 4 4 + "defs": { 5 5 + "main": { 6 6 + "type": "record", 7 7 + "description": "Repository page metadata including description and avatar. Users can edit this directly in their PDS to customize their repository page.", 8 8 + "key": "any", 9 9 + "record": { 10 10 + "type": "object", 11 11 + "required": ["repository", "createdAt", "updatedAt"], 12 12 + "properties": { 13 13 + "repository": { 14 14 + "type": "string", 15 15 + "description": "The name of the repository (e.g., 'myapp'). Must match the rkey.", 16 16 + "maxLength": 256 17 17 + }, 18 18 + "description": { 19 19 + "type": "string", 20 20 + "description": "Markdown README/description content for the repository page.", 21 21 + "maxLength": 100000 22 22 + }, 23 23 + "avatar": { 24 24 + "type": "blob", 25 25 + "description": "Repository avatar/icon image.", 26 26 + "accept": ["image/png", "image/jpeg", "image/webp"], 27 27 + "maxSize": 3000000 28 28 + }, 29 29 + "createdAt": { 30 30 + "type": "string", 31 31 + "format": "datetime", 32 32 + "description": "Record creation timestamp" 33 33 + }, 34 34 + "updatedAt": { 35 35 + "type": "string", 36 36 + "format": "datetime", 37 37 + "description": "Record last updated timestamp" 38 38 + } 39 39 + } 40 40 + } 41 41 + } 42 42 + } 43 43 + }

+2 -1

lexicons/io/atcr/tag.json

··· 27 27 }, 28 28 "manifestDigest": { 29 29 "type": "string", 30 30 - "description": "DEPRECATED: Digest of the manifest (e.g., 'sha256:...'). Kept for backward compatibility with old records. New records should use 'manifest' field instead." 30 30 + "description": "DEPRECATED: Digest of the manifest (e.g., 'sha256:...'). Kept for backward compatibility with old records. New records should use 'manifest' field instead.", 31 31 + "maxLength": 128 31 32 }, 32 33 "createdAt": { 33 34 "type": "string",

-4

pkg/appview/config.go

··· 79 79 80 80 // CheckInterval is the hold health check refresh interval (from env: ATCR_HEALTH_CHECK_INTERVAL, default: 15m) 81 81 CheckInterval time.Duration `yaml:"check_interval"` 82 82 - 83 83 - // ReadmeCacheTTL is the README cache TTL (from env: ATCR_README_CACHE_TTL, default: 1h) 84 84 - ReadmeCacheTTL time.Duration `yaml:"readme_cache_ttl"` 85 82 } 86 83 87 84 // JetstreamConfig defines ATProto Jetstream settings ··· 165 162 // Health and cache configuration 166 163 cfg.Health.CacheTTL = getDurationOrDefault("ATCR_HEALTH_CACHE_TTL", 15*time.Minute) 167 164 cfg.Health.CheckInterval = getDurationOrDefault("ATCR_HEALTH_CHECK_INTERVAL", 15*time.Minute) 168 168 - cfg.Health.ReadmeCacheTTL = getDurationOrDefault("ATCR_README_CACHE_TTL", 1*time.Hour) 169 165 170 166 // Jetstream configuration 171 167 cfg.Jetstream.URL = getEnvOrDefault("JETSTREAM_URL", "wss://jetstream2.us-west.bsky.network/subscribe")

+18

pkg/appview/db/migrations/0006_add_repo_pages.yaml

··· 1 1 + description: Add repo_pages table and remove readme_cache 2 2 + query: | 3 3 + -- Create repo_pages table for storing repository page metadata 4 4 + -- This replaces readme_cache with PDS-synced data 5 5 + CREATE TABLE IF NOT EXISTS repo_pages ( 6 6 + did TEXT NOT NULL, 7 7 + repository TEXT NOT NULL, 8 8 + description TEXT, 9 9 + avatar_cid TEXT, 10 10 + created_at TIMESTAMP NOT NULL, 11 11 + updated_at TIMESTAMP NOT NULL, 12 12 + PRIMARY KEY(did, repository), 13 13 + FOREIGN KEY(did) REFERENCES users(did) ON DELETE CASCADE 14 14 + ); 15 15 + CREATE INDEX IF NOT EXISTS idx_repo_pages_did ON repo_pages(did); 16 16 + 17 17 + -- Drop readme_cache table (no longer needed) 18 18 + DROP TABLE IF EXISTS readme_cache;

+3 -2

pkg/appview/db/models.go

··· 148 148 // TagWithPlatforms extends Tag with platform information 149 149 type TagWithPlatforms struct { 150 150 Tag 151 151 - Platforms []PlatformInfo 152 152 - IsMultiArch bool 151 151 + Platforms []PlatformInfo 152 152 + IsMultiArch bool 153 153 + HasAttestations bool // true if manifest list contains attestation references 153 154 } 154 155 155 156 // ManifestWithMetadata extends Manifest with tags and platform information

+119 -33

pkg/appview/db/queries.go

··· 7 7 "time" 8 8 ) 9 9 10 10 + // BlobCDNURL returns the CDN URL for an ATProto blob 11 11 + // This is a local copy to avoid importing atproto (prevents circular dependencies) 12 12 + func BlobCDNURL(did, cid string) string { 13 13 + return fmt.Sprintf("https://imgs.blue/%s/%s", did, cid) 14 14 + } 15 15 + 10 16 // escapeLikePattern escapes SQL LIKE wildcards (%, _) and backslash for safe searching. 11 17 // It also sanitizes the input to prevent injection attacks via special characters. 12 18 func escapeLikePattern(s string) string { ··· 46 52 COALESCE((SELECT COUNT(*) FROM stars WHERE owner_did = u.did AND repository = t.repository), 0), 47 53 COALESCE((SELECT COUNT(*) FROM stars WHERE starrer_did = ? AND owner_did = u.did AND repository = t.repository), 0), 48 54 t.created_at, 49 49 - m.hold_endpoint 55 55 + m.hold_endpoint, 56 56 + COALESCE(rp.avatar_cid, '') 50 57 FROM tags t 51 58 JOIN users u ON t.did = u.did 52 59 JOIN manifests m ON t.did = m.did AND t.repository = m.repository AND t.digest = m.digest 53 60 LEFT JOIN repository_stats rs ON t.did = rs.did AND t.repository = rs.repository 61 61 + LEFT JOIN repo_pages rp ON t.did = rp.did AND t.repository = rp.repository 54 62 ` 55 63 56 64 args := []any{currentUserDID} ··· 73 81 for rows.Next() { 74 82 var p Push 75 83 var isStarredInt int 76 76 - if err := rows.Scan(&p.DID, &p.Handle, &p.Repository, &p.Tag, &p.Digest, &p.Title, &p.Description, &p.IconURL, &p.PullCount, &p.StarCount, &isStarredInt, &p.CreatedAt, &p.HoldEndpoint); err != nil { 84 84 + var avatarCID string 85 85 + if err := rows.Scan(&p.DID, &p.Handle, &p.Repository, &p.Tag, &p.Digest, &p.Title, &p.Description, &p.IconURL, &p.PullCount, &p.StarCount, &isStarredInt, &p.CreatedAt, &p.HoldEndpoint, &avatarCID); err != nil { 77 86 return nil, 0, err 78 87 } 79 88 p.IsStarred = isStarredInt > 0 89 89 + // Prefer repo page avatar over annotation icon 90 90 + if avatarCID != "" { 91 91 + p.IconURL = BlobCDNURL(p.DID, avatarCID) 92 92 + } 80 93 pushes = append(pushes, p) 81 94 } 82 95 ··· 119 132 COALESCE((SELECT COUNT(*) FROM stars WHERE owner_did = u.did AND repository = t.repository), 0), 120 133 COALESCE((SELECT COUNT(*) FROM stars WHERE starrer_did = ? AND owner_did = u.did AND repository = t.repository), 0), 121 134 t.created_at, 122 122 - m.hold_endpoint 135 135 + m.hold_endpoint, 136 136 + COALESCE(rp.avatar_cid, '') 123 137 FROM tags t 124 138 JOIN users u ON t.did = u.did 125 139 JOIN manifests m ON t.did = m.did AND t.repository = m.repository AND t.digest = m.digest 126 140 LEFT JOIN repository_stats rs ON t.did = rs.did AND t.repository = rs.repository 141 141 + LEFT JOIN repo_pages rp ON t.did = rp.did AND t.repository = rp.repository 127 142 WHERE u.handle LIKE ? ESCAPE '\' 128 143 OR u.did = ? 129 144 OR t.repository LIKE ? ESCAPE '\' ··· 146 161 for rows.Next() { 147 162 var p Push 148 163 var isStarredInt int 149 149 - if err := rows.Scan(&p.DID, &p.Handle, &p.Repository, &p.Tag, &p.Digest, &p.Title, &p.Description, &p.IconURL, &p.PullCount, &p.StarCount, &isStarredInt, &p.CreatedAt, &p.HoldEndpoint); err != nil { 164 164 + var avatarCID string 165 165 + if err := rows.Scan(&p.DID, &p.Handle, &p.Repository, &p.Tag, &p.Digest, &p.Title, &p.Description, &p.IconURL, &p.PullCount, &p.StarCount, &isStarredInt, &p.CreatedAt, &p.HoldEndpoint, &avatarCID); err != nil { 150 166 return nil, 0, err 151 167 } 152 168 p.IsStarred = isStarredInt > 0 169 169 + // Prefer repo page avatar over annotation icon 170 170 + if avatarCID != "" { 171 171 + p.IconURL = BlobCDNURL(p.DID, avatarCID) 172 172 + } 153 173 pushes = append(pushes, p) 154 174 } 155 175 ··· 292 312 r.Licenses = annotations["org.opencontainers.image.licenses"] 293 313 r.IconURL = annotations["io.atcr.icon"] 294 314 r.ReadmeURL = annotations["io.atcr.readme"] 315 315 + 316 316 + // Check for repo page avatar (overrides annotation icon) 317 317 + repoPage, err := GetRepoPage(db, did, r.Name) 318 318 + if err == nil && repoPage != nil && repoPage.AvatarCID != "" { 319 319 + r.IconURL = BlobCDNURL(did, repoPage.AvatarCID) 320 320 + } 295 321 296 322 repos = append(repos, r) 297 323 } ··· 596 622 // GetTagsWithPlatforms returns all tags for a repository with platform information 597 623 // Only multi-arch tags (manifest lists) have platform info in manifest_references 598 624 // Single-arch tags will have empty Platforms slice (platform is obvious for single-arch) 625 625 + // Attestation references (unknown/unknown platforms) are filtered out but tracked via HasAttestations 599 626 func GetTagsWithPlatforms(db *sql.DB, did, repository string) ([]TagWithPlatforms, error) { 600 627 rows, err := db.Query(` 601 628 SELECT ··· 609 636 COALESCE(mr.platform_os, '') as platform_os, 610 637 COALESCE(mr.platform_architecture, '') as platform_architecture, 611 638 COALESCE(mr.platform_variant, '') as platform_variant, 612 612 - COALESCE(mr.platform_os_version, '') as platform_os_version 639 639 + COALESCE(mr.platform_os_version, '') as platform_os_version, 640 640 + COALESCE(mr.is_attestation, 0) as is_attestation 613 641 FROM tags t 614 642 JOIN manifests m ON t.digest = m.digest AND t.did = m.did AND t.repository = m.repository 615 643 LEFT JOIN manifest_references mr ON m.id = mr.manifest_id ··· 629 657 for rows.Next() { 630 658 var t Tag 631 659 var mediaType, platformOS, platformArch, platformVariant, platformOSVersion string 660 660 + var isAttestation bool 632 661 633 662 if err := rows.Scan(&t.ID, &t.DID, &t.Repository, &t.Tag, &t.Digest, &t.CreatedAt, 634 634 - &mediaType, &platformOS, &platformArch, &platformVariant, &platformOSVersion); err != nil { 663 663 + &mediaType, &platformOS, &platformArch, &platformVariant, &platformOSVersion, &isAttestation); err != nil { 635 664 return nil, err 636 665 } 637 666 ··· 643 672 Platforms: []PlatformInfo{}, 644 673 } 645 674 tagOrder = append(tagOrder, tagKey) 675 675 + } 676 676 + 677 677 + // Track if manifest list has attestations 678 678 + if isAttestation { 679 679 + tagMap[tagKey].HasAttestations = true 680 680 + // Skip attestation references in platform display 681 681 + continue 646 682 } 647 683 648 684 // Add platform info if present (only for multi-arch manifest lists) ··· 1598 1634 return time.Time{}, fmt.Errorf("unable to parse timestamp: %s", s) 1599 1635 } 1600 1636 1601 1601 - // MetricsDB wraps a sql.DB and implements the metrics interface for middleware 1602 1602 - type MetricsDB struct { 1603 1603 - db *sql.DB 1604 1604 - } 1605 1605 - 1606 1606 - // NewMetricsDB creates a new metrics database wrapper 1607 1607 - func NewMetricsDB(db *sql.DB) *MetricsDB { 1608 1608 - return &MetricsDB{db: db} 1609 1609 - } 1610 1610 - 1611 1611 - // IncrementPullCount increments the pull count for a repository 1612 1612 - func (m *MetricsDB) IncrementPullCount(did, repository string) error { 1613 1613 - return IncrementPullCount(m.db, did, repository) 1614 1614 - } 1615 1615 - 1616 1616 - // IncrementPushCount increments the push count for a repository 1617 1617 - func (m *MetricsDB) IncrementPushCount(did, repository string) error { 1618 1618 - return IncrementPushCount(m.db, did, repository) 1619 1619 - } 1620 1620 - 1621 1621 - // GetLatestHoldDIDForRepo returns the hold DID from the most recent manifest for a repository 1622 1622 - func (m *MetricsDB) GetLatestHoldDIDForRepo(did, repository string) (string, error) { 1623 1623 - return GetLatestHoldDIDForRepo(m.db, did, repository) 1624 1624 - } 1625 1625 - 1626 1637 // GetFeaturedRepositories fetches top repositories sorted by stars and pulls 1627 1638 func GetFeaturedRepositories(db *sql.DB, limit int, currentUserDID string) ([]FeaturedRepository, error) { 1628 1639 query := ` ··· 1650 1661 COALESCE((SELECT value FROM repository_annotations WHERE did = m.did AND repository = m.repository AND key = 'io.atcr.icon'), ''), 1651 1662 rs.pull_count, 1652 1663 rs.star_count, 1653 1653 - COALESCE((SELECT COUNT(*) FROM stars WHERE starrer_did = ? AND owner_did = m.did AND repository = m.repository), 0) 1664 1664 + COALESCE((SELECT COUNT(*) FROM stars WHERE starrer_did = ? AND owner_did = m.did AND repository = m.repository), 0), 1665 1665 + COALESCE(rp.avatar_cid, '') 1654 1666 FROM latest_manifests lm 1655 1667 JOIN manifests m ON lm.latest_id = m.id 1656 1668 JOIN users u ON m.did = u.did 1657 1669 JOIN repo_stats rs ON m.did = rs.did AND m.repository = rs.repository 1670 1670 + LEFT JOIN repo_pages rp ON m.did = rp.did AND m.repository = rp.repository 1658 1671 ORDER BY rs.score DESC, rs.star_count DESC, rs.pull_count DESC, m.created_at DESC 1659 1672 LIMIT ? 1660 1673 ` ··· 1669 1682 for rows.Next() { 1670 1683 var f FeaturedRepository 1671 1684 var isStarredInt int 1685 1685 + var avatarCID string 1672 1686 1673 1687 if err := rows.Scan(&f.OwnerDID, &f.OwnerHandle, &f.Repository, 1674 1674 - &f.Title, &f.Description, &f.IconURL, &f.PullCount, &f.StarCount, &isStarredInt); err != nil { 1688 1688 + &f.Title, &f.Description, &f.IconURL, &f.PullCount, &f.StarCount, &isStarredInt, &avatarCID); err != nil { 1675 1689 return nil, err 1676 1690 } 1677 1691 f.IsStarred = isStarredInt > 0 1692 1692 + // Prefer repo page avatar over annotation icon 1693 1693 + if avatarCID != "" { 1694 1694 + f.IconURL = BlobCDNURL(f.OwnerDID, avatarCID) 1695 1695 + } 1678 1696 1679 1697 featured = append(featured, f) 1680 1698 } 1681 1699 1682 1700 return featured, nil 1683 1701 } 1702 1702 + 1703 1703 + // RepoPage represents a repository page record cached from PDS 1704 1704 + type RepoPage struct { 1705 1705 + DID string 1706 1706 + Repository string 1707 1707 + Description string 1708 1708 + AvatarCID string 1709 1709 + CreatedAt time.Time 1710 1710 + UpdatedAt time.Time 1711 1711 + } 1712 1712 + 1713 1713 + // UpsertRepoPage inserts or updates a repo page record 1714 1714 + func UpsertRepoPage(db *sql.DB, did, repository, description, avatarCID string, createdAt, updatedAt time.Time) error { 1715 1715 + _, err := db.Exec(` 1716 1716 + INSERT INTO repo_pages (did, repository, description, avatar_cid, created_at, updated_at) 1717 1717 + VALUES (?, ?, ?, ?, ?, ?) 1718 1718 + ON CONFLICT(did, repository) DO UPDATE SET 1719 1719 + description = excluded.description, 1720 1720 + avatar_cid = excluded.avatar_cid, 1721 1721 + updated_at = excluded.updated_at 1722 1722 + `, did, repository, description, avatarCID, createdAt, updatedAt) 1723 1723 + return err 1724 1724 + } 1725 1725 + 1726 1726 + // GetRepoPage retrieves a repo page record 1727 1727 + func GetRepoPage(db *sql.DB, did, repository string) (*RepoPage, error) { 1728 1728 + var rp RepoPage 1729 1729 + err := db.QueryRow(` 1730 1730 + SELECT did, repository, description, avatar_cid, created_at, updated_at 1731 1731 + FROM repo_pages 1732 1732 + WHERE did = ? AND repository = ? 1733 1733 + `, did, repository).Scan(&rp.DID, &rp.Repository, &rp.Description, &rp.AvatarCID, &rp.CreatedAt, &rp.UpdatedAt) 1734 1734 + if err != nil { 1735 1735 + return nil, err 1736 1736 + } 1737 1737 + return &rp, nil 1738 1738 + } 1739 1739 + 1740 1740 + // DeleteRepoPage deletes a repo page record 1741 1741 + func DeleteRepoPage(db *sql.DB, did, repository string) error { 1742 1742 + _, err := db.Exec(` 1743 1743 + DELETE FROM repo_pages WHERE did = ? AND repository = ? 1744 1744 + `, did, repository) 1745 1745 + return err 1746 1746 + } 1747 1747 + 1748 1748 + // GetRepoPagesByDID returns all repo pages for a DID 1749 1749 + func GetRepoPagesByDID(db *sql.DB, did string) ([]RepoPage, error) { 1750 1750 + rows, err := db.Query(` 1751 1751 + SELECT did, repository, description, avatar_cid, created_at, updated_at 1752 1752 + FROM repo_pages 1753 1753 + WHERE did = ? 1754 1754 + `, did) 1755 1755 + if err != nil { 1756 1756 + return nil, err 1757 1757 + } 1758 1758 + defer rows.Close() 1759 1759 + 1760 1760 + var pages []RepoPage 1761 1761 + for rows.Next() { 1762 1762 + var rp RepoPage 1763 1763 + if err := rows.Scan(&rp.DID, &rp.Repository, &rp.Description, &rp.AvatarCID, &rp.CreatedAt, &rp.UpdatedAt); err != nil { 1764 1764 + return nil, err 1765 1765 + } 1766 1766 + pages = append(pages, rp) 1767 1767 + } 1768 1768 + return pages, rows.Err() 1769 1769 + }

+10 -5

pkg/appview/db/schema.sql

··· 205 205 ); 206 206 CREATE INDEX IF NOT EXISTS idx_crew_denials_retry ON hold_crew_denials(next_retry_at); 207 207 208 208 - CREATE TABLE IF NOT EXISTS readme_cache ( 209 209 - url TEXT PRIMARY KEY, 210 210 - html TEXT NOT NULL, 211 211 - fetched_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP 208 208 + CREATE TABLE IF NOT EXISTS repo_pages ( 209 209 + did TEXT NOT NULL, 210 210 + repository TEXT NOT NULL, 211 211 + description TEXT, 212 212 + avatar_cid TEXT, 213 213 + created_at TIMESTAMP NOT NULL, 214 214 + updated_at TIMESTAMP NOT NULL, 215 215 + PRIMARY KEY(did, repository), 216 216 + FOREIGN KEY(did) REFERENCES users(did) ON DELETE CASCADE 212 217 ); 213 213 - CREATE INDEX IF NOT EXISTS idx_readme_cache_fetched ON readme_cache(fetched_at); 218 218 + CREATE INDEX IF NOT EXISTS idx_repo_pages_did ON repo_pages(did);

+32

pkg/appview/handlers/errors.go

··· 1 1 + package handlers 2 2 + 3 3 + import ( 4 4 + "html/template" 5 5 + "net/http" 6 6 + ) 7 7 + 8 8 + // NotFoundHandler handles 404 errors 9 9 + type NotFoundHandler struct { 10 10 + Templates *template.Template 11 11 + RegistryURL string 12 12 + } 13 13 + 14 14 + func (h *NotFoundHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 15 15 + RenderNotFound(w, r, h.Templates, h.RegistryURL) 16 16 + } 17 17 + 18 18 + // RenderNotFound renders the 404 page template. 19 19 + // Use this from other handlers when a resource is not found. 20 20 + func RenderNotFound(w http.ResponseWriter, r *http.Request, templates *template.Template, registryURL string) { 21 21 + w.WriteHeader(http.StatusNotFound) 22 22 + 23 23 + data := struct { 24 24 + PageData 25 25 + }{ 26 26 + PageData: NewPageData(r, registryURL), 27 27 + } 28 28 + 29 29 + if err := templates.ExecuteTemplate(w, "404", data); err != nil { 30 30 + http.Error(w, "Page not found", http.StatusNotFound) 31 31 + } 32 32 + }

+114

pkg/appview/handlers/images.go

··· 3 3 import ( 4 4 "database/sql" 5 5 "encoding/json" 6 6 + "errors" 6 7 "fmt" 8 8 + "io" 7 9 "net/http" 8 10 "strings" 11 11 + "time" 9 12 10 13 "atcr.io/pkg/appview/db" 11 14 "atcr.io/pkg/appview/middleware" ··· 155 158 156 159 w.WriteHeader(http.StatusOK) 157 160 } 161 161 + 162 162 + // UploadAvatarHandler handles uploading/updating a repository avatar 163 163 + type UploadAvatarHandler struct { 164 164 + DB *sql.DB 165 165 + Refresher *oauth.Refresher 166 166 + } 167 167 + 168 168 + // validImageTypes are the allowed MIME types for avatars (matches lexicon) 169 169 + var validImageTypes = map[string]bool{ 170 170 + "image/png": true, 171 171 + "image/jpeg": true, 172 172 + "image/webp": true, 173 173 + } 174 174 + 175 175 + func (h *UploadAvatarHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 176 176 + user := middleware.GetUser(r) 177 177 + if user == nil { 178 178 + http.Error(w, "Unauthorized", http.StatusUnauthorized) 179 179 + return 180 180 + } 181 181 + 182 182 + repo := chi.URLParam(r, "repository") 183 183 + 184 184 + // Parse multipart form (max 3MB to match lexicon maxSize) 185 185 + if err := r.ParseMultipartForm(3 << 20); err != nil { 186 186 + http.Error(w, "File too large (max 3MB)", http.StatusBadRequest) 187 187 + return 188 188 + } 189 189 + 190 190 + file, header, err := r.FormFile("avatar") 191 191 + if err != nil { 192 192 + http.Error(w, "No file provided", http.StatusBadRequest) 193 193 + return 194 194 + } 195 195 + defer file.Close() 196 196 + 197 197 + // Validate MIME type 198 198 + contentType := header.Header.Get("Content-Type") 199 199 + if !validImageTypes[contentType] { 200 200 + http.Error(w, "Invalid file type. Must be PNG, JPEG, or WebP", http.StatusBadRequest) 201 201 + return 202 202 + } 203 203 + 204 204 + // Read file data 205 205 + data, err := io.ReadAll(io.LimitReader(file, 3<<20+1)) // Read up to 3MB + 1 byte 206 206 + if err != nil { 207 207 + http.Error(w, "Failed to read file", http.StatusInternalServerError) 208 208 + return 209 209 + } 210 210 + if len(data) > 3<<20 { 211 211 + http.Error(w, "File too large (max 3MB)", http.StatusBadRequest) 212 212 + return 213 213 + } 214 214 + 215 215 + // Create ATProto client with session provider (uses DoWithSession for DPoP nonce safety) 216 216 + pdsClient := atproto.NewClientWithSessionProvider(user.PDSEndpoint, user.DID, h.Refresher) 217 217 + 218 218 + // Upload blob to PDS 219 219 + blobRef, err := pdsClient.UploadBlob(r.Context(), data, contentType) 220 220 + if err != nil { 221 221 + if handleOAuthError(r.Context(), h.Refresher, user.DID, err) { 222 222 + http.Error(w, "Authentication failed, please log in again", http.StatusUnauthorized) 223 223 + return 224 224 + } 225 225 + http.Error(w, fmt.Sprintf("Failed to upload image: %v", err), http.StatusInternalServerError) 226 226 + return 227 227 + } 228 228 + 229 229 + // Fetch existing repo page record to preserve description 230 230 + var existingDescription string 231 231 + var existingCreatedAt time.Time 232 232 + record, err := pdsClient.GetRecord(r.Context(), atproto.RepoPageCollection, repo) 233 233 + if err == nil { 234 234 + // Parse existing record to preserve description 235 235 + var existingRecord atproto.RepoPageRecord 236 236 + if jsonErr := json.Unmarshal(record.Value, &existingRecord); jsonErr == nil { 237 237 + existingDescription = existingRecord.Description 238 238 + existingCreatedAt = existingRecord.CreatedAt 239 239 + } 240 240 + } else if !errors.Is(err, atproto.ErrRecordNotFound) { 241 241 + // Some other error - check if OAuth error 242 242 + if handleOAuthError(r.Context(), h.Refresher, user.DID, err) { 243 243 + http.Error(w, "Authentication failed, please log in again", http.StatusUnauthorized) 244 244 + return 245 245 + } 246 246 + // Log but continue - we'll create a new record 247 247 + } 248 248 + 249 249 + // Create updated repo page record 250 250 + repoPage := atproto.NewRepoPageRecord(repo, existingDescription, blobRef) 251 251 + // Preserve original createdAt if record existed 252 252 + if !existingCreatedAt.IsZero() { 253 253 + repoPage.CreatedAt = existingCreatedAt 254 254 + } 255 255 + 256 256 + // Save record to PDS 257 257 + _, err = pdsClient.PutRecord(r.Context(), atproto.RepoPageCollection, repo, repoPage) 258 258 + if err != nil { 259 259 + if handleOAuthError(r.Context(), h.Refresher, user.DID, err) { 260 260 + http.Error(w, "Authentication failed, please log in again", http.StatusUnauthorized) 261 261 + return 262 262 + } 263 263 + http.Error(w, fmt.Sprintf("Failed to update repository page: %v", err), http.StatusInternalServerError) 264 264 + return 265 265 + } 266 266 + 267 267 + // Return new avatar URL 268 268 + avatarURL := atproto.BlobCDNURL(user.DID, blobRef.Ref.Link) 269 269 + w.Header().Set("Content-Type", "application/json") 270 270 + json.NewEncoder(w).Encode(map[string]string{"avatarURL": avatarURL}) 271 271 + }

+40 -15

pkg/appview/handlers/repository.go

··· 27 27 Directory identity.Directory 28 28 Refresher *oauth.Refresher 29 29 HealthChecker *holdhealth.Checker 30 30 - ReadmeCache *readme.Cache 30 30 + ReadmeFetcher *readme.Fetcher // For rendering repo page descriptions 31 31 } 32 32 33 33 func (h *RepositoryPageHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { ··· 37 37 // Resolve identifier (handle or DID) to canonical DID and current handle 38 38 did, resolvedHandle, _, err := atproto.ResolveIdentity(r.Context(), identifier) 39 39 if err != nil { 40 40 - http.Error(w, "User not found", http.StatusNotFound) 40 40 + RenderNotFound(w, r, h.Templates, h.RegistryURL) 41 41 return 42 42 } 43 43 ··· 48 48 return 49 49 } 50 50 if owner == nil { 51 51 - http.Error(w, "User not found", http.StatusNotFound) 51 51 + RenderNotFound(w, r, h.Templates, h.RegistryURL) 52 52 return 53 53 } 54 54 ··· 136 136 } 137 137 138 138 if len(tagsWithPlatforms) == 0 && len(manifests) == 0 { 139 139 - http.Error(w, "Repository not found", http.StatusNotFound) 139 139 + RenderNotFound(w, r, h.Templates, h.RegistryURL) 140 140 return 141 141 } 142 142 ··· 190 190 isOwner = (user.DID == owner.DID) 191 191 } 192 192 193 193 - // Fetch README content if available 193 193 + // Fetch README content from repo page record or annotations 194 194 var readmeHTML template.HTML 195 195 - if repo.ReadmeURL != "" && h.ReadmeCache != nil { 196 196 - // Fetch with timeout 197 197 - ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second) 198 198 - defer cancel() 199 195 200 200 - html, err := h.ReadmeCache.Get(ctx, repo.ReadmeURL) 201 201 - if err != nil { 202 202 - slog.Warn("Failed to fetch README", "url", repo.ReadmeURL, "error", err) 203 203 - // Continue without README on error 204 204 - } else { 205 205 - readmeHTML = template.HTML(html) 196 196 + // Try repo page record from database (synced from PDS via Jetstream) 197 197 + repoPage, err := db.GetRepoPage(h.DB, owner.DID, repository) 198 198 + if err == nil && repoPage != nil { 199 199 + // Use repo page avatar if present 200 200 + if repoPage.AvatarCID != "" { 201 201 + repo.IconURL = atproto.BlobCDNURL(owner.DID, repoPage.AvatarCID) 202 202 + } 203 203 + // Render description as markdown if present 204 204 + if repoPage.Description != "" && h.ReadmeFetcher != nil { 205 205 + html, err := h.ReadmeFetcher.RenderMarkdown([]byte(repoPage.Description)) 206 206 + if err != nil { 207 207 + slog.Warn("Failed to render repo page description", "error", err) 208 208 + } else { 209 209 + readmeHTML = template.HTML(html) 210 210 + } 211 211 + } 212 212 + } 213 213 + // Fall back to fetching README from URL annotations if no description in repo page 214 214 + if readmeHTML == "" && h.ReadmeFetcher != nil { 215 215 + // Fall back to fetching from URL annotations 216 216 + readmeURL := repo.ReadmeURL 217 217 + if readmeURL == "" && repo.SourceURL != "" { 218 218 + // Try to derive README URL from source URL 219 219 + readmeURL = readme.DeriveReadmeURL(repo.SourceURL, "main") 220 220 + if readmeURL == "" { 221 221 + readmeURL = readme.DeriveReadmeURL(repo.SourceURL, "master") 222 222 + } 223 223 + } 224 224 + if readmeURL != "" { 225 225 + html, err := h.ReadmeFetcher.FetchAndRender(r.Context(), readmeURL) 226 226 + if err != nil { 227 227 + slog.Debug("Failed to fetch README from URL", "url", readmeURL, "error", err) 228 228 + } else { 229 229 + readmeHTML = template.HTML(html) 230 230 + } 206 231 } 207 232 } 208 233

+3 -6

pkg/appview/handlers/settings.go

··· 62 62 data.Profile.Handle = user.Handle 63 63 data.Profile.DID = user.DID 64 64 data.Profile.PDSEndpoint = user.PDSEndpoint 65 65 - if profile.DefaultHold != nil { 66 66 - data.Profile.DefaultHold = *profile.DefaultHold 67 67 - } 65 65 + data.Profile.DefaultHold = profile.DefaultHold 68 66 69 67 if err := h.Templates.ExecuteTemplate(w, "settings", data); err != nil { 70 68 http.Error(w, err.Error(), http.StatusInternalServerError) ··· 96 94 profile = atproto.NewSailorProfileRecord(holdEndpoint) 97 95 } else { 98 96 // Update existing profile 99 99 - profile.DefaultHold = &holdEndpoint 100 100 - now := time.Now().Format(time.RFC3339) 101 101 - profile.UpdatedAt = &now 97 97 + profile.DefaultHold = holdEndpoint 98 98 + profile.UpdatedAt = time.Now() 102 99 } 103 100 104 101 // Save profile

+1 -1

pkg/appview/handlers/user.go

··· 23 23 // Resolve identifier (handle or DID) to canonical DID and current handle 24 24 did, resolvedHandle, pdsEndpoint, err := atproto.ResolveIdentity(r.Context(), identifier) 25 25 if err != nil { 26 26 - http.Error(w, "User not found", http.StatusNotFound) 26 26 + RenderNotFound(w, r, h.Templates, h.RegistryURL) 27 27 return 28 28 } 29 29

+261 -20

pkg/appview/jetstream/backfill.go

··· 5 5 "database/sql" 6 6 "encoding/json" 7 7 "fmt" 8 8 + "io" 8 9 "log/slog" 10 10 + "net/http" 9 11 "strings" 10 12 "time" 11 13 12 14 "atcr.io/pkg/appview/db" 15 15 + "atcr.io/pkg/appview/readme" 13 16 "atcr.io/pkg/atproto" 17 17 + "atcr.io/pkg/auth/oauth" 14 18 ) 15 19 16 20 // BackfillWorker uses com.atproto.sync.listReposByCollection to backfill historical data 17 21 type BackfillWorker struct { 18 22 db *sql.DB 19 23 client *atproto.Client 20 20 - processor *Processor // Shared processor for DB operations 21 21 - defaultHoldDID string // Default hold DID from AppView config (e.g., "did:web:hold01.atcr.io") 22 22 - testMode bool // If true, suppress warnings for external holds 24 24 + processor *Processor // Shared processor for DB operations 25 25 + defaultHoldDID string // Default hold DID from AppView config (e.g., "did:web:hold01.atcr.io") 26 26 + testMode bool // If true, suppress warnings for external holds 27 27 + refresher *oauth.Refresher // OAuth refresher for PDS writes (optional, can be nil) 23 28 } 24 29 25 30 // BackfillState tracks backfill progress ··· 36 41 // NewBackfillWorker creates a backfill worker using sync API 37 42 // defaultHoldDID should be in format "did:web:hold01.atcr.io" 38 43 // To find a hold's DID, visit: https://hold-url/.well-known/did.json 39 39 - func NewBackfillWorker(database *sql.DB, relayEndpoint, defaultHoldDID string, testMode bool) (*BackfillWorker, error) { 44 44 + // refresher is optional - if provided, backfill will try to update PDS records when fetching README content 45 45 + func NewBackfillWorker(database *sql.DB, relayEndpoint, defaultHoldDID string, testMode bool, refresher *oauth.Refresher) (*BackfillWorker, error) { 40 46 // Create client for relay - used only for listReposByCollection 41 47 client := atproto.NewClient(relayEndpoint, "", "") 42 48 ··· 46 52 processor: NewProcessor(database, false), // No cache for batch processing 47 53 defaultHoldDID: defaultHoldDID, 48 54 testMode: testMode, 55 55 + refresher: refresher, 49 56 }, nil 50 57 } 51 58 ··· 67 74 atproto.TagCollection, // io.atcr.tag 68 75 atproto.StarCollection, // io.atcr.sailor.star 69 76 atproto.SailorProfileCollection, // io.atcr.sailor.profile 77 77 + atproto.RepoPageCollection, // io.atcr.repo.page 70 78 } 71 79 72 80 for _, collection := range collections { ··· 164 172 // Track what we found for deletion reconciliation 165 173 switch collection { 166 174 case atproto.ManifestCollection: 167 167 - var manifestRecord atproto.Manifest 175 175 + var manifestRecord atproto.ManifestRecord 168 176 if err := json.Unmarshal(record.Value, &manifestRecord); err == nil { 169 177 foundManifestDigests = append(foundManifestDigests, manifestRecord.Digest) 170 178 } 171 179 case atproto.TagCollection: 172 172 - var tagRecord atproto.Tag 180 180 + var tagRecord atproto.TagRecord 173 181 if err := json.Unmarshal(record.Value, &tagRecord); err == nil { 174 182 foundTags = append(foundTags, struct{ Repository, Tag string }{ 175 183 Repository: tagRecord.Repository, ··· 177 185 }) 178 186 } 179 187 case atproto.StarCollection: 180 180 - var starRecord atproto.SailorStar 188 188 + var starRecord atproto.StarRecord 181 189 if err := json.Unmarshal(record.Value, &starRecord); err == nil { 182 182 - key := fmt.Sprintf("%s/%s", starRecord.Subject.Did, starRecord.Subject.Repository) 183 183 - // Parse CreatedAt string to time.Time 184 184 - createdAt, parseErr := time.Parse(time.RFC3339, starRecord.CreatedAt) 185 185 - if parseErr != nil { 186 186 - createdAt = time.Now() 187 187 - } 188 188 - foundStars[key] = createdAt 190 190 + key := fmt.Sprintf("%s/%s", starRecord.Subject.DID, starRecord.Subject.Repository) 191 191 + foundStars[key] = starRecord.CreatedAt 189 192 } 190 193 } 191 194 ··· 222 225 } 223 226 } 224 227 228 228 + // After processing repo pages, fetch descriptions from external sources if empty 229 229 + if collection == atproto.RepoPageCollection { 230 230 + if err := b.reconcileRepoPageDescriptions(ctx, did, pdsEndpoint); err != nil { 231 231 + slog.Warn("Backfill failed to reconcile repo page descriptions", "did", did, "error", err) 232 232 + } 233 233 + } 234 234 + 225 235 return recordCount, nil 226 236 } 227 237 ··· 287 297 return b.processor.ProcessStar(context.Background(), did, record.Value) 288 298 case atproto.SailorProfileCollection: 289 299 return b.processor.ProcessSailorProfile(ctx, did, record.Value, b.queryCaptainRecordWrapper) 300 300 + case atproto.RepoPageCollection: 301 301 + // rkey is extracted from the record URI, but for repo pages we use Repository field 302 302 + return b.processor.ProcessRepoPage(ctx, did, record.URI, record.Value, false) 290 303 default: 291 304 return fmt.Errorf("unsupported collection: %s", collection) 292 305 } ··· 364 377 365 378 // reconcileAnnotations ensures annotations come from the newest manifest in each repository 366 379 // This fixes the out-of-order backfill issue where older manifests can overwrite newer annotations 367 367 - // NOTE: Currently disabled because the generated Manifest_Annotations type doesn't support 368 368 - // arbitrary key-value pairs. Would need to update lexicon schema with "unknown" type. 369 380 func (b *BackfillWorker) reconcileAnnotations(ctx context.Context, did string, pdsClient *atproto.Client) error { 370 370 - // TODO: Re-enable once lexicon supports annotations as map[string]string 371 371 - // For now, skip annotation reconciliation as the generated type is an empty struct 372 372 - _ = did 373 373 - _ = pdsClient 381 381 + // Get all repositories for this DID 382 382 + repositories, err := db.GetRepositoriesForDID(b.db, did) 383 383 + if err != nil { 384 384 + return fmt.Errorf("failed to get repositories: %w", err) 385 385 + } 386 386 + 387 387 + for _, repo := range repositories { 388 388 + // Find newest manifest for this repository 389 389 + newestManifest, err := db.GetNewestManifestForRepo(b.db, did, repo) 390 390 + if err != nil { 391 391 + slog.Warn("Backfill failed to get newest manifest for repo", "did", did, "repository", repo, "error", err) 392 392 + continue // Skip on error 393 393 + } 394 394 + 395 395 + // Fetch the full manifest record from PDS using the digest as rkey 396 396 + rkey := strings.TrimPrefix(newestManifest.Digest, "sha256:") 397 397 + record, err := pdsClient.GetRecord(ctx, atproto.ManifestCollection, rkey) 398 398 + if err != nil { 399 399 + slog.Warn("Backfill failed to fetch manifest record for repo", "did", did, "repository", repo, "error", err) 400 400 + continue // Skip on error 401 401 + } 402 402 + 403 403 + // Parse manifest record 404 404 + var manifestRecord atproto.ManifestRecord 405 405 + if err := json.Unmarshal(record.Value, &manifestRecord); err != nil { 406 406 + slog.Warn("Backfill failed to parse manifest record for repo", "did", did, "repository", repo, "error", err) 407 407 + continue 408 408 + } 409 409 + 410 410 + // Update annotations from newest manifest only 411 411 + if len(manifestRecord.Annotations) > 0 { 412 412 + // Filter out empty annotations 413 413 + hasData := false 414 414 + for _, value := range manifestRecord.Annotations { 415 415 + if value != "" { 416 416 + hasData = true 417 417 + break 418 418 + } 419 419 + } 420 420 + 421 421 + if hasData { 422 422 + err = db.UpsertRepositoryAnnotations(b.db, did, repo, manifestRecord.Annotations) 423 423 + if err != nil { 424 424 + slog.Warn("Backfill failed to reconcile annotations for repo", "did", did, "repository", repo, "error", err) 425 425 + } else { 426 426 + slog.Info("Backfill reconciled annotations for repo from newest manifest", "did", did, "repository", repo, "digest", newestManifest.Digest) 427 427 + } 428 428 + } 429 429 + } 430 430 + } 431 431 + 432 432 + return nil 433 433 + } 434 434 + 435 435 + // reconcileRepoPageDescriptions fetches README content from external sources for repo pages with empty descriptions 436 436 + // If the user has an OAuth session, it updates the PDS record (source of truth) 437 437 + // Otherwise, it just stores the fetched content in the database 438 438 + func (b *BackfillWorker) reconcileRepoPageDescriptions(ctx context.Context, did, pdsEndpoint string) error { 439 439 + // Get all repo pages for this DID 440 440 + repoPages, err := db.GetRepoPagesByDID(b.db, did) 441 441 + if err != nil { 442 442 + return fmt.Errorf("failed to get repo pages: %w", err) 443 443 + } 444 444 + 445 445 + for _, page := range repoPages { 446 446 + // Skip pages that already have a description 447 447 + if page.Description != "" { 448 448 + continue 449 449 + } 450 450 + 451 451 + // Get annotations from the repository's manifest 452 452 + annotations, err := db.GetRepositoryAnnotations(b.db, did, page.Repository) 453 453 + if err != nil { 454 454 + slog.Debug("Failed to get annotations for repo page", "did", did, "repository", page.Repository, "error", err) 455 455 + continue 456 456 + } 457 457 + 458 458 + // Try to fetch README content from external sources 459 459 + description := b.fetchReadmeContent(ctx, annotations) 460 460 + if description == "" { 461 461 + // No README content available, skip 462 462 + continue 463 463 + } 464 464 + 465 465 + slog.Info("Fetched README for repo page", "did", did, "repository", page.Repository, "descriptionLength", len(description)) 466 466 + 467 467 + // Try to update PDS if we have OAuth session 468 468 + pdsUpdated := false 469 469 + if b.refresher != nil { 470 470 + if err := b.updateRepoPageInPDS(ctx, did, pdsEndpoint, page.Repository, description, page.AvatarCID); err != nil { 471 471 + slog.Debug("Could not update repo page in PDS, falling back to DB-only", "did", did, "repository", page.Repository, "error", err) 472 472 + } else { 473 473 + pdsUpdated = true 474 474 + slog.Info("Updated repo page in PDS with fetched description", "did", did, "repository", page.Repository) 475 475 + } 476 476 + } 477 477 + 478 478 + // Always update database with the fetched content 479 479 + if err := db.UpsertRepoPage(b.db, did, page.Repository, description, page.AvatarCID, page.CreatedAt, time.Now()); err != nil { 480 480 + slog.Warn("Failed to update repo page in database", "did", did, "repository", page.Repository, "error", err) 481 481 + } else if !pdsUpdated { 482 482 + slog.Info("Updated repo page in database (PDS not updated)", "did", did, "repository", page.Repository) 483 483 + } 484 484 + } 485 485 + 486 486 + return nil 487 487 + } 488 488 + 489 489 + // fetchReadmeContent attempts to fetch README content from external sources based on annotations 490 490 + // Priority: io.atcr.readme annotation > derived from org.opencontainers.image.source 491 491 + func (b *BackfillWorker) fetchReadmeContent(ctx context.Context, annotations map[string]string) string { 492 492 + // Create a context with timeout for README fetching 493 493 + fetchCtx, cancel := context.WithTimeout(ctx, 10*time.Second) 494 494 + defer cancel() 495 495 + 496 496 + // Priority 1: Direct README URL from io.atcr.readme annotation 497 497 + if readmeURL := annotations["io.atcr.readme"]; readmeURL != "" { 498 498 + content, err := b.fetchRawReadme(fetchCtx, readmeURL) 499 499 + if err != nil { 500 500 + slog.Debug("Failed to fetch README from io.atcr.readme annotation", "url", readmeURL, "error", err) 501 501 + } else if content != "" { 502 502 + return content 503 503 + } 504 504 + } 505 505 + 506 506 + // Priority 2: Derive README URL from org.opencontainers.image.source 507 507 + if sourceURL := annotations["org.opencontainers.image.source"]; sourceURL != "" { 508 508 + // Try main branch first, then master 509 509 + for _, branch := range []string{"main", "master"} { 510 510 + readmeURL := readme.DeriveReadmeURL(sourceURL, branch) 511 511 + if readmeURL == "" { 512 512 + continue 513 513 + } 514 514 + 515 515 + content, err := b.fetchRawReadme(fetchCtx, readmeURL) 516 516 + if err != nil { 517 517 + // Only log non-404 errors (404 is expected when trying main vs master) 518 518 + if !readme.Is404(err) { 519 519 + slog.Debug("Failed to fetch README from source URL", "url", readmeURL, "branch", branch, "error", err) 520 520 + } 521 521 + continue 522 522 + } 523 523 + 524 524 + if content != "" { 525 525 + return content 526 526 + } 527 527 + } 528 528 + } 529 529 + 530 530 + return "" 531 531 + } 532 532 + 533 533 + // fetchRawReadme fetches raw markdown content from a URL 534 534 + func (b *BackfillWorker) fetchRawReadme(ctx context.Context, readmeURL string) (string, error) { 535 535 + req, err := http.NewRequestWithContext(ctx, "GET", readmeURL, nil) 536 536 + if err != nil { 537 537 + return "", fmt.Errorf("failed to create request: %w", err) 538 538 + } 539 539 + 540 540 + req.Header.Set("User-Agent", "ATCR-Backfill-README-Fetcher/1.0") 541 541 + 542 542 + client := &http.Client{ 543 543 + Timeout: 10 * time.Second, 544 544 + CheckRedirect: func(req *http.Request, via []*http.Request) error { 545 545 + if len(via) >= 5 { 546 546 + return fmt.Errorf("too many redirects") 547 547 + } 548 548 + return nil 549 549 + }, 550 550 + } 551 551 + 552 552 + resp, err := client.Do(req) 553 553 + if err != nil { 554 554 + return "", fmt.Errorf("failed to fetch URL: %w", err) 555 555 + } 556 556 + defer resp.Body.Close() 557 557 + 558 558 + if resp.StatusCode != http.StatusOK { 559 559 + return "", fmt.Errorf("status %d", resp.StatusCode) 560 560 + } 561 561 + 562 562 + // Limit content size to 100KB 563 563 + limitedReader := io.LimitReader(resp.Body, 100*1024) 564 564 + content, err := io.ReadAll(limitedReader) 565 565 + if err != nil { 566 566 + return "", fmt.Errorf("failed to read response body: %w", err) 567 567 + } 568 568 + 569 569 + return string(content), nil 570 570 + } 571 571 + 572 572 + // updateRepoPageInPDS updates the repo page record in the user's PDS using OAuth 573 573 + func (b *BackfillWorker) updateRepoPageInPDS(ctx context.Context, did, pdsEndpoint, repository, description, avatarCID string) error { 574 574 + if b.refresher == nil { 575 575 + return fmt.Errorf("no OAuth refresher available") 576 576 + } 577 577 + 578 578 + // Create ATProto client with session provider 579 579 + pdsClient := atproto.NewClientWithSessionProvider(pdsEndpoint, did, b.refresher) 580 580 + 581 581 + // Get existing repo page record to preserve other fields 582 582 + existingRecord, err := pdsClient.GetRecord(ctx, atproto.RepoPageCollection, repository) 583 583 + var createdAt time.Time 584 584 + var avatarRef *atproto.ATProtoBlobRef 585 585 + 586 586 + if err == nil && existingRecord != nil { 587 587 + // Parse existing record 588 588 + var existingPage atproto.RepoPageRecord 589 589 + if err := json.Unmarshal(existingRecord.Value, &existingPage); err == nil { 590 590 + createdAt = existingPage.CreatedAt 591 591 + avatarRef = existingPage.Avatar 592 592 + } 593 593 + } 594 594 + 595 595 + if createdAt.IsZero() { 596 596 + createdAt = time.Now() 597 597 + } 598 598 + 599 599 + // Create updated repo page record 600 600 + repoPage := &atproto.RepoPageRecord{ 601 601 + Type: atproto.RepoPageCollection, 602 602 + Repository: repository, 603 603 + Description: description, 604 604 + Avatar: avatarRef, 605 605 + CreatedAt: createdAt, 606 606 + UpdatedAt: time.Now(), 607 607 + } 608 608 + 609 609 + // Write to PDS - this will use DoWithSession internally 610 610 + _, err = pdsClient.PutRecord(ctx, atproto.RepoPageCollection, repository, repoPage) 611 611 + if err != nil { 612 612 + return fmt.Errorf("failed to write to PDS: %w", err) 613 613 + } 614 614 + 374 615 return nil 375 616 }

+65 -51

pkg/appview/jetstream/processor.go

··· 100 100 // Returns the manifest ID for further processing (layers/references) 101 101 func (p *Processor) ProcessManifest(ctx context.Context, did string, recordData []byte) (int64, error) { 102 102 // Unmarshal manifest record 103 103 - var manifestRecord atproto.Manifest 103 103 + var manifestRecord atproto.ManifestRecord 104 104 if err := json.Unmarshal(recordData, &manifestRecord); err != nil { 105 105 return 0, fmt.Errorf("failed to unmarshal manifest: %w", err) 106 106 } ··· 110 110 // Extract hold DID from manifest (with fallback for legacy manifests) 111 111 // New manifests use holdDid field (DID format) 112 112 // Old manifests use holdEndpoint field (URL format) - convert to DID 113 113 - var holdDID string 114 114 - if manifestRecord.HoldDid != nil && *manifestRecord.HoldDid != "" { 115 115 - holdDID = *manifestRecord.HoldDid 116 116 - } else if manifestRecord.HoldEndpoint != nil && *manifestRecord.HoldEndpoint != "" { 113 113 + holdDID := manifestRecord.HoldDID 114 114 + if holdDID == "" && manifestRecord.HoldEndpoint != "" { 117 115 // Legacy manifest - convert URL to DID 118 118 - holdDID = atproto.ResolveHoldDIDFromURL(*manifestRecord.HoldEndpoint) 119 119 - } 120 120 - 121 121 - // Parse CreatedAt string to time.Time 122 122 - createdAt, err := time.Parse(time.RFC3339, manifestRecord.CreatedAt) 123 123 - if err != nil { 124 124 - // Fall back to current time if parsing fails 125 125 - createdAt = time.Now() 116 116 + holdDID = atproto.ResolveHoldDIDFromURL(manifestRecord.HoldEndpoint) 126 117 } 127 118 128 119 // Prepare manifest for insertion (WITHOUT annotation fields) ··· 131 122 Repository: manifestRecord.Repository, 132 123 Digest: manifestRecord.Digest, 133 124 MediaType: manifestRecord.MediaType, 134 134 - SchemaVersion: int(manifestRecord.SchemaVersion), 125 125 + SchemaVersion: manifestRecord.SchemaVersion, 135 126 HoldEndpoint: holdDID, 136 136 - CreatedAt: createdAt, 127 127 + CreatedAt: manifestRecord.CreatedAt, 137 128 // Annotations removed - stored separately in repository_annotations table 138 129 } 139 130 ··· 163 154 } 164 155 } 165 156 166 166 - // Note: Repository annotations are currently disabled because the generated 167 167 - // Manifest_Annotations type doesn't support arbitrary key-value pairs. 168 168 - // The lexicon would need to use "unknown" type for annotations to support this. 169 169 - // TODO: Re-enable once lexicon supports annotations as map[string]string 170 170 - _ = manifestRecord.Annotations 157 157 + // Update repository annotations ONLY if manifest has at least one non-empty annotation 158 158 + if manifestRecord.Annotations != nil { 159 159 + hasData := false 160 160 + for _, value := range manifestRecord.Annotations { 161 161 + if value != "" { 162 162 + hasData = true 163 163 + break 164 164 + } 165 165 + } 166 166 + 167 167 + if hasData { 168 168 + // Replace all annotations for this repository 169 169 + err = db.UpsertRepositoryAnnotations(p.db, did, manifestRecord.Repository, manifestRecord.Annotations) 170 170 + if err != nil { 171 171 + return 0, fmt.Errorf("failed to upsert annotations: %w", err) 172 172 + } 173 173 + } 174 174 + } 171 175 172 176 // Insert manifest references or layers 173 177 if isManifestList { ··· 180 184 181 185 if ref.Platform != nil { 182 186 platformArch = ref.Platform.Architecture 183 183 - platformOS = ref.Platform.Os 184 184 - if ref.Platform.Variant != nil { 185 185 - platformVariant = *ref.Platform.Variant 186 186 - } 187 187 - if ref.Platform.OsVersion != nil { 188 188 - platformOSVersion = *ref.Platform.OsVersion 189 189 - } 187 187 + platformOS = ref.Platform.OS 188 188 + platformVariant = ref.Platform.Variant 189 189 + platformOSVersion = ref.Platform.OSVersion 190 190 } 191 191 192 192 - // Note: Attestation detection via annotations is currently disabled 193 193 - // because the generated Manifest_ManifestReference_Annotations type 194 194 - // doesn't support arbitrary key-value pairs. 192 192 + // Detect attestation manifests from annotations 195 193 isAttestation := false 194 194 + if ref.Annotations != nil { 195 195 + if refType, ok := ref.Annotations["vnd.docker.reference.type"]; ok { 196 196 + isAttestation = refType == "attestation-manifest" 197 197 + } 198 198 + } 196 199 197 200 if err := db.InsertManifestReference(p.db, &db.ManifestReference{ 198 201 ManifestID: manifestID, ··· 232 235 // ProcessTag processes a tag record and stores it in the database 233 236 func (p *Processor) ProcessTag(ctx context.Context, did string, recordData []byte) error { 234 237 // Unmarshal tag record 235 235 - var tagRecord atproto.Tag 238 238 + var tagRecord atproto.TagRecord 236 239 if err := json.Unmarshal(recordData, &tagRecord); err != nil { 237 240 return fmt.Errorf("failed to unmarshal tag: %w", err) 238 241 } ··· 242 245 return fmt.Errorf("failed to get manifest digest from tag record: %w", err) 243 246 } 244 247 245 245 - // Parse CreatedAt string to time.Time 246 246 - tagCreatedAt, err := time.Parse(time.RFC3339, tagRecord.CreatedAt) 247 247 - if err != nil { 248 248 - // Fall back to current time if parsing fails 249 249 - tagCreatedAt = time.Now() 250 250 - } 251 251 - 252 248 // Insert or update tag 253 249 return db.UpsertTag(p.db, &db.Tag{ 254 250 DID: did, 255 251 Repository: tagRecord.Repository, 256 252 Tag: tagRecord.Tag, 257 253 Digest: manifestDigest, 258 258 - CreatedAt: tagCreatedAt, 254 254 + CreatedAt: tagRecord.UpdatedAt, 259 255 }) 260 256 } 261 257 262 258 // ProcessStar processes a star record and stores it in the database 263 259 func (p *Processor) ProcessStar(ctx context.Context, did string, recordData []byte) error { 264 260 // Unmarshal star record 265 265 - var starRecord atproto.SailorStar 261 261 + var starRecord atproto.StarRecord 266 262 if err := json.Unmarshal(recordData, &starRecord); err != nil { 267 263 return fmt.Errorf("failed to unmarshal star: %w", err) 268 264 } ··· 270 266 // The DID here is the starrer (user who starred) 271 267 // The subject contains the owner DID and repository 272 268 // Star count will be calculated on demand from the stars table 273 273 - // Parse the CreatedAt string to time.Time 274 274 - createdAt, err := time.Parse(time.RFC3339, starRecord.CreatedAt) 275 275 - if err != nil { 276 276 - // Fall back to current time if parsing fails 277 277 - createdAt = time.Now() 278 278 - } 279 279 - return db.UpsertStar(p.db, did, starRecord.Subject.Did, starRecord.Subject.Repository, createdAt) 269 269 + return db.UpsertStar(p.db, did, starRecord.Subject.DID, starRecord.Subject.Repository, starRecord.CreatedAt) 280 270 } 281 271 282 272 // ProcessSailorProfile processes a sailor profile record 283 273 // This is primarily used by backfill to cache captain records for holds 284 274 func (p *Processor) ProcessSailorProfile(ctx context.Context, did string, recordData []byte, queryCaptainFn func(context.Context, string) error) error { 285 275 // Unmarshal sailor profile record 286 286 - var profileRecord atproto.SailorProfile 276 276 + var profileRecord atproto.SailorProfileRecord 287 277 if err := json.Unmarshal(recordData, &profileRecord); err != nil { 288 278 return fmt.Errorf("failed to unmarshal sailor profile: %w", err) 289 279 } 290 280 291 281 // Skip if no default hold set 292 292 - if profileRecord.DefaultHold == nil || *profileRecord.DefaultHold == "" { 282 282 + if profileRecord.DefaultHold == "" { 293 283 return nil 294 284 } 295 285 296 286 // Convert hold URL/DID to canonical DID 297 297 - holdDID := atproto.ResolveHoldDIDFromURL(*profileRecord.DefaultHold) 287 287 + holdDID := atproto.ResolveHoldDIDFromURL(profileRecord.DefaultHold) 298 288 if holdDID == "" { 299 299 - slog.Warn("Invalid hold reference in profile", "component", "processor", "did", did, "default_hold", *profileRecord.DefaultHold) 289 289 + slog.Warn("Invalid hold reference in profile", "component", "processor", "did", did, "default_hold", profileRecord.DefaultHold) 300 290 return nil 301 291 } 302 292 ··· 307 297 } 308 298 309 299 return nil 300 300 + } 301 301 + 302 302 + // ProcessRepoPage processes a repository page record 303 303 + // This is called when Jetstream receives a repo page create/update event 304 304 + func (p *Processor) ProcessRepoPage(ctx context.Context, did string, rkey string, recordData []byte, isDelete bool) error { 305 305 + if isDelete { 306 306 + // Delete the repo page from our cache 307 307 + return db.DeleteRepoPage(p.db, did, rkey) 308 308 + } 309 309 + 310 310 + // Unmarshal repo page record 311 311 + var pageRecord atproto.RepoPageRecord 312 312 + if err := json.Unmarshal(recordData, &pageRecord); err != nil { 313 313 + return fmt.Errorf("failed to unmarshal repo page: %w", err) 314 314 + } 315 315 + 316 316 + // Extract avatar CID if present 317 317 + avatarCID := "" 318 318 + if pageRecord.Avatar != nil && pageRecord.Avatar.Ref.Link != "" { 319 319 + avatarCID = pageRecord.Avatar.Ref.Link 320 320 + } 321 321 + 322 322 + // Upsert to database 323 323 + return db.UpsertRepoPage(p.db, did, pageRecord.Repository, pageRecord.Description, avatarCID, pageRecord.CreatedAt, pageRecord.UpdatedAt) 310 324 } 311 325 312 326 // ProcessIdentity handles identity change events (handle updates)

+54 -36

pkg/appview/jetstream/processor_test.go

··· 11 11 _ "github.com/mattn/go-sqlite3" 12 12 ) 13 13 14 14 - // ptrString returns a pointer to the given string 15 15 - func ptrString(s string) *string { 16 16 - return &s 17 17 - } 18 18 - 19 14 // setupTestDB creates an in-memory SQLite database for testing 20 15 func setupTestDB(t *testing.T) *sql.DB { 21 16 database, err := sql.Open("sqlite3", ":memory:") ··· 148 143 ctx := context.Background() 149 144 150 145 // Create test manifest record 151 151 - manifestRecord := &atproto.Manifest{ 146 146 + manifestRecord := &atproto.ManifestRecord{ 152 147 Repository: "test-app", 153 148 Digest: "sha256:abc123", 154 149 MediaType: "application/vnd.oci.image.manifest.v1+json", 155 150 SchemaVersion: 2, 156 156 - HoldEndpoint: ptrString("did:web:hold01.atcr.io"), 157 157 - CreatedAt: time.Now().Format(time.RFC3339), 158 158 - Config: &atproto.Manifest_BlobReference{ 151 151 + HoldEndpoint: "did:web:hold01.atcr.io", 152 152 + CreatedAt: time.Now(), 153 153 + Config: &atproto.BlobReference{ 159 154 Digest: "sha256:config123", 160 155 Size: 1234, 161 156 }, 162 162 - Layers: []atproto.Manifest_BlobReference{ 157 157 + Layers: []atproto.BlobReference{ 163 158 {Digest: "sha256:layer1", Size: 5000, MediaType: "application/vnd.oci.image.layer.v1.tar+gzip"}, 164 159 {Digest: "sha256:layer2", Size: 3000, MediaType: "application/vnd.oci.image.layer.v1.tar+gzip"}, 165 160 }, 166 166 - // Annotations disabled - generated Manifest_Annotations is empty struct 161 161 + Annotations: map[string]string{ 162 162 + "org.opencontainers.image.title": "Test App", 163 163 + "org.opencontainers.image.description": "A test application", 164 164 + "org.opencontainers.image.source": "https://github.com/test/app", 165 165 + "org.opencontainers.image.licenses": "MIT", 166 166 + "io.atcr.icon": "https://example.com/icon.png", 167 167 + }, 167 168 } 168 169 169 170 // Marshal to bytes for ProcessManifest ··· 192 193 t.Errorf("Expected 1 manifest, got %d", count) 193 194 } 194 195 195 195 - // Note: Annotations verification disabled - generated Manifest_Annotations is empty struct 196 196 - // TODO: Re-enable when lexicon uses "unknown" type for annotations 196 196 + // Verify annotations were stored in repository_annotations table 197 197 + var title, source string 198 198 + err = database.QueryRow("SELECT value FROM repository_annotations WHERE did = ? AND repository = ? AND key = ?", 199 199 + "did:plc:test123", "test-app", "org.opencontainers.image.title").Scan(&title) 200 200 + if err != nil { 201 201 + t.Fatalf("Failed to query title annotation: %v", err) 202 202 + } 203 203 + if title != "Test App" { 204 204 + t.Errorf("title = %q, want %q", title, "Test App") 205 205 + } 206 206 + 207 207 + err = database.QueryRow("SELECT value FROM repository_annotations WHERE did = ? AND repository = ? AND key = ?", 208 208 + "did:plc:test123", "test-app", "org.opencontainers.image.source").Scan(&source) 209 209 + if err != nil { 210 210 + t.Fatalf("Failed to query source annotation: %v", err) 211 211 + } 212 212 + if source != "https://github.com/test/app" { 213 213 + t.Errorf("source = %q, want %q", source, "https://github.com/test/app") 214 214 + } 197 215 198 216 // Verify layers were inserted 199 217 var layerCount int ··· 224 242 ctx := context.Background() 225 243 226 244 // Create test manifest list record 227 227 - manifestRecord := &atproto.Manifest{ 245 245 + manifestRecord := &atproto.ManifestRecord{ 228 246 Repository: "test-app", 229 247 Digest: "sha256:list123", 230 248 MediaType: "application/vnd.oci.image.index.v1+json", 231 249 SchemaVersion: 2, 232 232 - HoldEndpoint: ptrString("did:web:hold01.atcr.io"), 233 233 - CreatedAt: time.Now().Format(time.RFC3339), 234 234 - Manifests: []atproto.Manifest_ManifestReference{ 250 250 + HoldEndpoint: "did:web:hold01.atcr.io", 251 251 + CreatedAt: time.Now(), 252 252 + Manifests: []atproto.ManifestReference{ 235 253 { 236 254 Digest: "sha256:amd64manifest", 237 255 MediaType: "application/vnd.oci.image.manifest.v1+json", 238 256 Size: 1000, 239 239 - Platform: &atproto.Manifest_Platform{ 257 257 + Platform: &atproto.Platform{ 240 258 Architecture: "amd64", 241 241 - Os: "linux", 259 259 + OS: "linux", 242 260 }, 243 261 }, 244 262 { 245 263 Digest: "sha256:arm64manifest", 246 264 MediaType: "application/vnd.oci.image.manifest.v1+json", 247 265 Size: 1100, 248 248 - Platform: &atproto.Manifest_Platform{ 266 266 + Platform: &atproto.Platform{ 249 267 Architecture: "arm64", 250 250 - Os: "linux", 251 251 - Variant: ptrString("v8"), 268 268 + OS: "linux", 269 269 + Variant: "v8", 252 270 }, 253 271 }, 254 272 }, ··· 308 326 ctx := context.Background() 309 327 310 328 // Create test tag record (using ManifestDigest field for simplicity) 311 311 - tagRecord := &atproto.Tag{ 329 329 + tagRecord := &atproto.TagRecord{ 312 330 Repository: "test-app", 313 331 Tag: "latest", 314 314 - ManifestDigest: ptrString("sha256:abc123"), 315 315 - CreatedAt: time.Now().Format(time.RFC3339), 332 332 + ManifestDigest: "sha256:abc123", 333 333 + UpdatedAt: time.Now(), 316 334 } 317 335 318 336 // Marshal to bytes for ProcessTag ··· 350 368 } 351 369 352 370 // Test upserting same tag with new digest 353 353 - tagRecord.ManifestDigest = ptrString("sha256:newdigest") 371 371 + tagRecord.ManifestDigest = "sha256:newdigest" 354 372 recordBytes, err = json.Marshal(tagRecord) 355 373 if err != nil { 356 374 t.Fatalf("Failed to marshal tag: %v", err) ··· 389 407 ctx := context.Background() 390 408 391 409 // Create test star record 392 392 - starRecord := &atproto.SailorStar{ 393 393 - Subject: atproto.SailorStar_Subject{ 394 394 - Did: "did:plc:owner123", 410 410 + starRecord := &atproto.StarRecord{ 411 411 + Subject: atproto.StarSubject{ 412 412 + DID: "did:plc:owner123", 395 413 Repository: "test-app", 396 414 }, 397 397 - CreatedAt: time.Now().Format(time.RFC3339), 415 415 + CreatedAt: time.Now(), 398 416 } 399 417 400 418 // Marshal to bytes for ProcessStar ··· 448 466 p := NewProcessor(database, false) 449 467 ctx := context.Background() 450 468 451 451 - manifestRecord := &atproto.Manifest{ 469 469 + manifestRecord := &atproto.ManifestRecord{ 452 470 Repository: "test-app", 453 471 Digest: "sha256:abc123", 454 472 MediaType: "application/vnd.oci.image.manifest.v1+json", 455 473 SchemaVersion: 2, 456 456 - HoldEndpoint: ptrString("did:web:hold01.atcr.io"), 457 457 - CreatedAt: time.Now().Format(time.RFC3339), 474 474 + HoldEndpoint: "did:web:hold01.atcr.io", 475 475 + CreatedAt: time.Now(), 458 476 } 459 477 460 478 // Marshal to bytes for ProcessManifest ··· 500 518 ctx := context.Background() 501 519 502 520 // Manifest with nil annotations 503 503 - manifestRecord := &atproto.Manifest{ 521 521 + manifestRecord := &atproto.ManifestRecord{ 504 522 Repository: "test-app", 505 523 Digest: "sha256:abc123", 506 524 MediaType: "application/vnd.oci.image.manifest.v1+json", 507 525 SchemaVersion: 2, 508 508 - HoldEndpoint: ptrString("did:web:hold01.atcr.io"), 509 509 - CreatedAt: time.Now().Format(time.RFC3339), 526 526 + HoldEndpoint: "did:web:hold01.atcr.io", 527 527 + CreatedAt: time.Now(), 510 528 Annotations: nil, 511 529 } 512 530

+39 -3

pkg/appview/jetstream/worker.go

··· 61 61 jetstreamURL: jetstreamURL, 62 62 startCursor: startCursor, 63 63 wantedCollections: []string{ 64 64 - atproto.ManifestCollection, // io.atcr.manifest 65 65 - atproto.TagCollection, // io.atcr.tag 66 66 - atproto.StarCollection, // io.atcr.sailor.star 64 64 + "io.atcr.*", // Subscribe to all ATCR collections 67 65 }, 68 66 processor: NewProcessor(database, true), // Use cache for live streaming 69 67 } ··· 312 310 case atproto.StarCollection: 313 311 slog.Info("Jetstream processing star event", "did", commit.DID, "operation", commit.Operation, "rkey", commit.RKey) 314 312 return w.processStar(commit) 313 313 + case atproto.RepoPageCollection: 314 314 + slog.Info("Jetstream processing repo page event", "did", commit.DID, "operation", commit.Operation, "rkey", commit.RKey) 315 315 + return w.processRepoPage(commit) 315 316 default: 316 317 // Ignore other collections 317 318 return nil ··· 434 435 435 436 // Use shared processor for DB operations 436 437 return w.processor.ProcessStar(context.Background(), commit.DID, recordBytes) 438 438 + } 439 439 + 440 440 + // processRepoPage processes a repo page commit event 441 441 + func (w *Worker) processRepoPage(commit *CommitEvent) error { 442 442 + // Resolve and upsert user with handle/PDS endpoint 443 443 + if err := w.processor.EnsureUser(context.Background(), commit.DID); err != nil { 444 444 + return fmt.Errorf("failed to ensure user: %w", err) 445 445 + } 446 446 + 447 447 + isDelete := commit.Operation == "delete" 448 448 + 449 449 + if isDelete { 450 450 + // Delete - rkey is the repository name 451 451 + slog.Info("Jetstream deleting repo page", "did", commit.DID, "repository", commit.RKey) 452 452 + if err := w.processor.ProcessRepoPage(context.Background(), commit.DID, commit.RKey, nil, true); err != nil { 453 453 + slog.Error("Jetstream ERROR deleting repo page", "error", err) 454 454 + return err 455 455 + } 456 456 + slog.Info("Jetstream successfully deleted repo page", "did", commit.DID, "repository", commit.RKey) 457 457 + return nil 458 458 + } 459 459 + 460 460 + // Parse repo page record 461 461 + if commit.Record == nil { 462 462 + return nil 463 463 + } 464 464 + 465 465 + // Marshal map to bytes for processing 466 466 + recordBytes, err := json.Marshal(commit.Record) 467 467 + if err != nil { 468 468 + return fmt.Errorf("failed to marshal record: %w", err) 469 469 + } 470 470 + 471 471 + // Use shared processor for DB operations 472 472 + return w.processor.ProcessRepoPage(context.Background(), commit.DID, commit.RKey, recordBytes, false) 437 473 } 438 474 439 475 // processIdentity processes an identity event (handle change)

+59 -6

pkg/appview/middleware/auth.go

··· 11 11 "net/url" 12 12 13 13 "atcr.io/pkg/appview/db" 14 14 + "atcr.io/pkg/auth" 15 15 + "atcr.io/pkg/auth/oauth" 14 16 ) 15 17 16 18 type contextKey string 17 19 18 20 const userKey contextKey = "user" 19 21 22 22 + // WebAuthDeps contains dependencies for web auth middleware 23 23 + type WebAuthDeps struct { 24 24 + SessionStore *db.SessionStore 25 25 + Database *sql.DB 26 26 + Refresher *oauth.Refresher 27 27 + DefaultHoldDID string 28 28 + } 29 29 + 20 30 // RequireAuth is middleware that requires authentication 21 31 func RequireAuth(store *db.SessionStore, database *sql.DB) func(http.Handler) http.Handler { 32 32 + return RequireAuthWithDeps(WebAuthDeps{ 33 33 + SessionStore: store, 34 34 + Database: database, 35 35 + }) 36 36 + } 37 37 + 38 38 + // RequireAuthWithDeps is middleware that requires authentication and creates UserContext 39 39 + func RequireAuthWithDeps(deps WebAuthDeps) func(http.Handler) http.Handler { 22 40 return func(next http.Handler) http.Handler { 23 41 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 24 42 sessionID, ok := getSessionID(r) ··· 32 50 return 33 51 } 34 52 35 35 - sess, ok := store.Get(sessionID) 53 53 + sess, ok := deps.SessionStore.Get(sessionID) 36 54 if !ok { 37 55 // Build return URL with query parameters preserved 38 56 returnTo := r.URL.Path ··· 44 62 } 45 63 46 64 // Look up full user from database to get avatar 47 47 - user, err := db.GetUserByDID(database, sess.DID) 65 65 + user, err := db.GetUserByDID(deps.Database, sess.DID) 48 66 if err != nil || user == nil { 49 67 // Fallback to session data if DB lookup fails 50 68 user = &db.User{ ··· 54 72 } 55 73 } 56 74 57 57 - ctx := context.WithValue(r.Context(), userKey, user) 75 75 + ctx := r.Context() 76 76 + ctx = context.WithValue(ctx, userKey, user) 77 77 + 78 78 + // Create UserContext for authenticated users (enables EnsureUserSetup) 79 79 + if deps.Refresher != nil { 80 80 + userCtx := auth.NewUserContext(sess.DID, auth.AuthMethodOAuth, r.Method, &auth.Dependencies{ 81 81 + Refresher: deps.Refresher, 82 82 + DefaultHoldDID: deps.DefaultHoldDID, 83 83 + }) 84 84 + userCtx.SetPDS(sess.Handle, sess.PDSEndpoint) 85 85 + userCtx.EnsureUserSetup() 86 86 + ctx = auth.WithUserContext(ctx, userCtx) 87 87 + } 88 88 + 58 89 next.ServeHTTP(w, r.WithContext(ctx)) 59 90 }) 60 91 } ··· 62 93 63 94 // OptionalAuth is middleware that optionally includes user if authenticated 64 95 func OptionalAuth(store *db.SessionStore, database *sql.DB) func(http.Handler) http.Handler { 96 96 + return OptionalAuthWithDeps(WebAuthDeps{ 97 97 + SessionStore: store, 98 98 + Database: database, 99 99 + }) 100 100 + } 101 101 + 102 102 + // OptionalAuthWithDeps is middleware that optionally includes user and UserContext if authenticated 103 103 + func OptionalAuthWithDeps(deps WebAuthDeps) func(http.Handler) http.Handler { 65 104 return func(next http.Handler) http.Handler { 66 105 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 67 106 sessionID, ok := getSessionID(r) 68 107 if ok { 69 69 - if sess, ok := store.Get(sessionID); ok { 108 108 + if sess, ok := deps.SessionStore.Get(sessionID); ok { 70 109 // Look up full user from database to get avatar 71 71 - user, err := db.GetUserByDID(database, sess.DID) 110 110 + user, err := db.GetUserByDID(deps.Database, sess.DID) 72 111 if err != nil || user == nil { 73 112 // Fallback to session data if DB lookup fails 74 113 user = &db.User{ ··· 77 116 PDSEndpoint: sess.PDSEndpoint, 78 117 } 79 118 } 80 80 - ctx := context.WithValue(r.Context(), userKey, user) 119 119 + 120 120 + ctx := r.Context() 121 121 + ctx = context.WithValue(ctx, userKey, user) 122 122 + 123 123 + // Create UserContext for authenticated users (enables EnsureUserSetup) 124 124 + if deps.Refresher != nil { 125 125 + userCtx := auth.NewUserContext(sess.DID, auth.AuthMethodOAuth, r.Method, &auth.Dependencies{ 126 126 + Refresher: deps.Refresher, 127 127 + DefaultHoldDID: deps.DefaultHoldDID, 128 128 + }) 129 129 + userCtx.SetPDS(sess.Handle, sess.PDSEndpoint) 130 130 + userCtx.EnsureUserSetup() 131 131 + ctx = auth.WithUserContext(ctx, userCtx) 132 132 + } 133 133 + 81 134 r = r.WithContext(ctx) 82 135 } 83 136 }

+111 -340

pkg/appview/middleware/registry.go

··· 2 2 3 3 import ( 4 4 "context" 5 5 + "database/sql" 5 6 "fmt" 6 7 "log/slog" 7 8 "net/http" 8 9 "strings" 9 9 - "sync" 10 10 - "time" 11 10 12 11 "github.com/distribution/distribution/v3" 13 13 - "github.com/distribution/distribution/v3/registry/api/errcode" 14 12 registrymw "github.com/distribution/distribution/v3/registry/middleware/registry" 15 13 "github.com/distribution/distribution/v3/registry/storage/driver" 16 14 "github.com/distribution/reference" ··· 28 26 // authMethodKey is the context key for storing auth method from JWT 29 27 const authMethodKey contextKey = "auth.method" 30 28 31 31 - // validationCacheEntry stores a validated service token with expiration 32 32 - type validationCacheEntry struct { 33 33 - serviceToken string 34 34 - validUntil time.Time 35 35 - err error // Cached error for fast-fail 36 36 - mu sync.Mutex // Per-entry lock to serialize cache population 37 37 - inFlight bool // True if another goroutine is fetching the token 38 38 - done chan struct{} // Closed when fetch completes 39 39 - } 40 40 - 41 41 - // validationCache provides request-level caching for service tokens 42 42 - // This prevents concurrent layer uploads from racing on OAuth/DPoP requests 43 43 - type validationCache struct { 44 44 - mu sync.RWMutex 45 45 - entries map[string]*validationCacheEntry // key: "did:holdDID" 46 46 - } 47 47 - 48 48 - // newValidationCache creates a new validation cache 49 49 - func newValidationCache() *validationCache { 50 50 - return &validationCache{ 51 51 - entries: make(map[string]*validationCacheEntry), 52 52 - } 53 53 - } 54 54 - 55 55 - // getOrFetch retrieves a service token from cache or fetches it 56 56 - // Multiple concurrent requests for the same DID:holdDID will share the fetch operation 57 57 - func (vc *validationCache) getOrFetch(ctx context.Context, cacheKey string, fetchFunc func() (string, error)) (string, error) { 58 58 - // Fast path: check cache with read lock 59 59 - vc.mu.RLock() 60 60 - entry, exists := vc.entries[cacheKey] 61 61 - vc.mu.RUnlock() 62 62 - 63 63 - if exists { 64 64 - // Entry exists, check if it's still valid 65 65 - entry.mu.Lock() 66 66 - 67 67 - // If another goroutine is fetching, wait for it 68 68 - if entry.inFlight { 69 69 - done := entry.done 70 70 - entry.mu.Unlock() 71 71 - 72 72 - select { 73 73 - case <-done: 74 74 - // Fetch completed, check result 75 75 - entry.mu.Lock() 76 76 - defer entry.mu.Unlock() 77 77 - 78 78 - if entry.err != nil { 79 79 - return "", entry.err 80 80 - } 81 81 - if time.Now().Before(entry.validUntil) { 82 82 - return entry.serviceToken, nil 83 83 - } 84 84 - // Fall through to refetch 85 85 - case <-ctx.Done(): 86 86 - return "", ctx.Err() 87 87 - } 88 88 - } else { 89 89 - // Check if cached token is still valid 90 90 - if entry.err != nil && time.Now().Before(entry.validUntil) { 91 91 - // Return cached error (fast-fail) 92 92 - entry.mu.Unlock() 93 93 - return "", entry.err 94 94 - } 95 95 - if entry.err == nil && time.Now().Before(entry.validUntil) { 96 96 - // Return cached token 97 97 - token := entry.serviceToken 98 98 - entry.mu.Unlock() 99 99 - return token, nil 100 100 - } 101 101 - entry.mu.Unlock() 102 102 - } 103 103 - } 104 104 - 105 105 - // Slow path: need to fetch token 106 106 - vc.mu.Lock() 107 107 - entry, exists = vc.entries[cacheKey] 108 108 - if !exists { 109 109 - // Create new entry 110 110 - entry = &validationCacheEntry{ 111 111 - inFlight: true, 112 112 - done: make(chan struct{}), 113 113 - } 114 114 - vc.entries[cacheKey] = entry 115 115 - } 116 116 - vc.mu.Unlock() 117 117 - 118 118 - // Lock the entry to perform fetch 119 119 - entry.mu.Lock() 120 120 - 121 121 - // Double-check: another goroutine may have fetched while we waited 122 122 - if !entry.inFlight { 123 123 - if entry.err != nil && time.Now().Before(entry.validUntil) { 124 124 - err := entry.err 125 125 - entry.mu.Unlock() 126 126 - return "", err 127 127 - } 128 128 - if entry.err == nil && time.Now().Before(entry.validUntil) { 129 129 - token := entry.serviceToken 130 130 - entry.mu.Unlock() 131 131 - return token, nil 132 132 - } 133 133 - } 134 134 - 135 135 - // Mark as in-flight and create fresh done channel for this fetch 136 136 - // IMPORTANT: Always create a new channel - a closed channel is not nil 137 137 - entry.done = make(chan struct{}) 138 138 - entry.inFlight = true 139 139 - done := entry.done 140 140 - entry.mu.Unlock() 141 141 - 142 142 - // Perform the fetch (outside the lock to allow other operations) 143 143 - serviceToken, err := fetchFunc() 144 144 - 145 145 - // Update the entry with result 146 146 - entry.mu.Lock() 147 147 - entry.inFlight = false 148 148 - 149 149 - if err != nil { 150 150 - // Cache errors for 5 seconds (fast-fail for subsequent requests) 151 151 - entry.err = err 152 152 - entry.validUntil = time.Now().Add(5 * time.Second) 153 153 - entry.serviceToken = "" 154 154 - } else { 155 155 - // Cache token for 45 seconds (covers typical Docker push operation) 156 156 - entry.err = nil 157 157 - entry.serviceToken = serviceToken 158 158 - entry.validUntil = time.Now().Add(45 * time.Second) 159 159 - } 160 160 - 161 161 - // Signal completion to waiting goroutines 162 162 - close(done) 163 163 - entry.mu.Unlock() 164 164 - 165 165 - return serviceToken, err 166 166 - } 29 29 + // pullerDIDKey is the context key for storing the authenticated user's DID from JWT 30 30 + const pullerDIDKey contextKey = "puller.did" 167 31 168 32 // Global variables for initialization only 169 33 // These are set by main.go during startup and copied into NamespaceResolver instances. 170 34 // After initialization, request handling uses the NamespaceResolver's instance fields. 171 35 var ( 172 172 - globalRefresher *oauth.Refresher 173 173 - globalDatabase storage.DatabaseMetrics 174 174 - globalAuthorizer auth.HoldAuthorizer 175 175 - globalReadmeCache storage.ReadmeCache 36 36 + globalRefresher *oauth.Refresher 37 37 + globalDatabase *sql.DB 38 38 + globalAuthorizer auth.HoldAuthorizer 176 39 ) 177 40 178 41 // SetGlobalRefresher sets the OAuth refresher instance during initialization ··· 183 46 184 47 // SetGlobalDatabase sets the database instance during initialization 185 48 // Must be called before the registry starts serving requests 186 186 - func SetGlobalDatabase(database storage.DatabaseMetrics) { 49 49 + func SetGlobalDatabase(database *sql.DB) { 187 50 globalDatabase = database 188 51 } 189 52 ··· 193 56 globalAuthorizer = authorizer 194 57 } 195 58 196 196 - // SetGlobalReadmeCache sets the readme cache instance during initialization 197 197 - // Must be called before the registry starts serving requests 198 198 - func SetGlobalReadmeCache(readmeCache storage.ReadmeCache) { 199 199 - globalReadmeCache = readmeCache 200 200 - } 201 201 - 202 59 func init() { 203 60 // Register the name resolution middleware 204 61 registrymw.Register("atproto-resolver", initATProtoResolver) ··· 207 64 // NamespaceResolver wraps a namespace and resolves names 208 65 type NamespaceResolver struct { 209 66 distribution.Namespace 210 210 - defaultHoldDID string // Default hold DID (e.g., "did:web:hold01.atcr.io") 211 211 - baseURL string // Base URL for error messages (e.g., "https://atcr.io") 212 212 - testMode bool // If true, fallback to default hold when user's hold is unreachable 213 213 - refresher *oauth.Refresher // OAuth session manager (copied from global on init) 214 214 - database storage.DatabaseMetrics // Metrics database (copied from global on init) 215 215 - authorizer auth.HoldAuthorizer // Hold authorization (copied from global on init) 216 216 - readmeCache storage.ReadmeCache // README cache (copied from global on init) 217 217 - validationCache *validationCache // Request-level service token cache 67 67 + defaultHoldDID string // Default hold DID (e.g., "did:web:hold01.atcr.io") 68 68 + baseURL string // Base URL for error messages (e.g., "https://atcr.io") 69 69 + testMode bool // If true, fallback to default hold when user's hold is unreachable 70 70 + refresher *oauth.Refresher // OAuth session manager (copied from global on init) 71 71 + sqlDB *sql.DB // Database for hold DID lookup and metrics (copied from global on init) 72 72 + authorizer auth.HoldAuthorizer // Hold authorization (copied from global on init) 218 73 } 219 74 220 75 // initATProtoResolver initializes the name resolution middleware ··· 241 96 // Copy shared services from globals into the instance 242 97 // This avoids accessing globals during request handling 243 98 return &NamespaceResolver{ 244 244 - Namespace: ns, 245 245 - defaultHoldDID: defaultHoldDID, 246 246 - baseURL: baseURL, 247 247 - testMode: testMode, 248 248 - refresher: globalRefresher, 249 249 - database: globalDatabase, 250 250 - authorizer: globalAuthorizer, 251 251 - readmeCache: globalReadmeCache, 252 252 - validationCache: newValidationCache(), 99 99 + Namespace: ns, 100 100 + defaultHoldDID: defaultHoldDID, 101 101 + baseURL: baseURL, 102 102 + testMode: testMode, 103 103 + refresher: globalRefresher, 104 104 + sqlDB: globalDatabase, 105 105 + authorizer: globalAuthorizer, 253 106 }, nil 254 254 - } 255 255 - 256 256 - // authErrorMessage creates a user-friendly auth error with login URL 257 257 - func (nr *NamespaceResolver) authErrorMessage(message string) error { 258 258 - loginURL := fmt.Sprintf("%s/auth/oauth/login", nr.baseURL) 259 259 - fullMessage := fmt.Sprintf("%s - please re-authenticate at %s", message, loginURL) 260 260 - return errcode.ErrorCodeUnauthorized.WithMessage(fullMessage) 261 107 } 262 108 263 109 // Repository resolves the repository name and delegates to underlying namespace ··· 293 139 } 294 140 ctx = context.WithValue(ctx, holdDIDKey, holdDID) 295 141 296 296 - // Auto-reconcile crew membership on first push/pull 297 297 - // This ensures users can push immediately after docker login without web sign-in 298 298 - // EnsureCrewMembership is best-effort and logs errors without failing the request 299 299 - // Run in background to avoid blocking registry operations if hold is offline 300 300 - if holdDID != "" && nr.refresher != nil { 301 301 - slog.Debug("Auto-reconciling crew membership", "component", "registry/middleware", "did", did, "hold_did", holdDID) 302 302 - client := atproto.NewClient(pdsEndpoint, did, "") 303 303 - go func(ctx context.Context, client *atproto.Client, refresher *oauth.Refresher, holdDID string) { 304 304 - storage.EnsureCrewMembership(ctx, client, refresher, holdDID) 305 305 - }(ctx, client, nr.refresher, holdDID) 306 306 - } 307 307 - 308 308 - // Get service token for hold authentication (only if authenticated) 309 309 - // Use validation cache to prevent concurrent requests from racing on OAuth/DPoP 310 310 - // Route based on auth method from JWT token 311 311 - var serviceToken string 312 312 - authMethod, _ := ctx.Value(authMethodKey).(string) 313 313 - 314 314 - // Only fetch service token if user is authenticated 315 315 - // Unauthenticated requests (like /v2/ ping) should not trigger token fetching 316 316 - if authMethod != "" { 317 317 - // Create cache key: "did:holdDID" 318 318 - cacheKey := fmt.Sprintf("%s:%s", did, holdDID) 319 319 - 320 320 - // Fetch service token through validation cache 321 321 - // This ensures only ONE request per DID:holdDID pair fetches the token 322 322 - // Concurrent requests will wait for the first request to complete 323 323 - var fetchErr error 324 324 - serviceToken, fetchErr = nr.validationCache.getOrFetch(ctx, cacheKey, func() (string, error) { 325 325 - if authMethod == token.AuthMethodAppPassword { 326 326 - // App-password flow: use Bearer token authentication 327 327 - slog.Debug("Using app-password flow for service token", 328 328 - "component", "registry/middleware", 329 329 - "did", did, 330 330 - "cacheKey", cacheKey) 331 331 - 332 332 - token, err := token.GetOrFetchServiceTokenWithAppPassword(ctx, did, holdDID, pdsEndpoint) 333 333 - if err != nil { 334 334 - slog.Error("Failed to get service token with app-password", 335 335 - "component", "registry/middleware", 336 336 - "did", did, 337 337 - "holdDID", holdDID, 338 338 - "pdsEndpoint", pdsEndpoint, 339 339 - "error", err) 340 340 - return "", err 341 341 - } 342 342 - return token, nil 343 343 - } else if nr.refresher != nil { 344 344 - // OAuth flow: use DPoP authentication 345 345 - slog.Debug("Using OAuth flow for service token", 346 346 - "component", "registry/middleware", 347 347 - "did", did, 348 348 - "cacheKey", cacheKey) 349 349 - 350 350 - token, err := token.GetOrFetchServiceToken(ctx, nr.refresher, did, holdDID, pdsEndpoint) 351 351 - if err != nil { 352 352 - slog.Error("Failed to get service token with OAuth", 353 353 - "component", "registry/middleware", 354 354 - "did", did, 355 355 - "holdDID", holdDID, 356 356 - "pdsEndpoint", pdsEndpoint, 357 357 - "error", err) 358 358 - return "", err 359 359 - } 360 360 - return token, nil 361 361 - } 362 362 - return "", fmt.Errorf("no authentication method available") 363 363 - }) 364 364 - 365 365 - // Handle errors from cached fetch 366 366 - if fetchErr != nil { 367 367 - errMsg := fetchErr.Error() 368 368 - 369 369 - // Check for app-password specific errors 370 370 - if authMethod == token.AuthMethodAppPassword { 371 371 - if strings.Contains(errMsg, "expired or invalid") || strings.Contains(errMsg, "no app-password") { 372 372 - return nil, nr.authErrorMessage("App-password authentication failed. Please re-authenticate with: docker login") 373 373 - } 374 374 - } 375 375 - 376 376 - // Check for OAuth specific errors 377 377 - if strings.Contains(errMsg, "OAuth session") || strings.Contains(errMsg, "OAuth validation") { 378 378 - return nil, nr.authErrorMessage("OAuth session expired or invalidated by PDS. Your session has been cleared") 379 379 - } 380 380 - 381 381 - // Generic service token error 382 382 - return nil, nr.authErrorMessage(fmt.Sprintf("Failed to obtain storage credentials: %v", fetchErr)) 383 383 - } 384 384 - } else { 385 385 - slog.Debug("Skipping service token fetch for unauthenticated request", 386 386 - "component", "registry/middleware", 387 387 - "did", did) 388 388 - } 142 142 + // Note: Profile and crew membership are now ensured in UserContextMiddleware 143 143 + // via EnsureUserSetup() - no need to call here 389 144 390 145 // Create a new reference with identity/image format 391 146 // Use the identity (or DID) as the namespace to ensure canonical format ··· 402 157 return nil, err 403 158 } 404 159 405 405 - // Get access token for PDS operations 406 406 - // Use auth method from JWT to determine client type: 407 407 - // - OAuth users: use session provider (DPoP-enabled) 408 408 - // - App-password users: use Basic Auth token cache 409 409 - var atprotoClient *atproto.Client 410 410 - 411 411 - if authMethod == token.AuthMethodOAuth && nr.refresher != nil { 412 412 - // OAuth flow: use session provider for locked OAuth sessions 413 413 - // This prevents DPoP nonce race conditions during concurrent layer uploads 414 414 - slog.Debug("Creating ATProto client with OAuth session provider", 415 415 - "component", "registry/middleware", 416 416 - "did", did, 417 417 - "authMethod", authMethod) 418 418 - atprotoClient = atproto.NewClientWithSessionProvider(pdsEndpoint, did, nr.refresher) 419 419 - } else { 420 420 - // App-password flow (or fallback): use Basic Auth token cache 421 421 - accessToken, ok := auth.GetGlobalTokenCache().Get(did) 422 422 - if !ok { 423 423 - slog.Debug("No cached access token found for app-password auth", 424 424 - "component", "registry/middleware", 425 425 - "did", did, 426 426 - "authMethod", authMethod) 427 427 - accessToken = "" // Will fail on manifest push, but let it try 428 428 - } else { 429 429 - slog.Debug("Creating ATProto client with app-password", 430 430 - "component", "registry/middleware", 431 431 - "did", did, 432 432 - "authMethod", authMethod, 433 433 - "token_length", len(accessToken)) 434 434 - } 435 435 - atprotoClient = atproto.NewClient(pdsEndpoint, did, accessToken) 436 436 - } 437 437 - 438 160 // IMPORTANT: Use only the image name (not identity/image) for ATProto storage 439 161 // ATProto records are scoped to the user's DID, so we don't need the identity prefix 440 162 // Example: "evan.jarrett.net/debian" -> store as "debian" 441 163 repositoryName := imageName 442 164 443 443 - // Default auth method to OAuth if not already set (backward compatibility with old tokens) 444 444 - if authMethod == "" { 445 445 - authMethod = token.AuthMethodOAuth 165 165 + // Get UserContext from request context (set by UserContextMiddleware) 166 166 + userCtx := auth.FromContext(ctx) 167 167 + if userCtx == nil { 168 168 + return nil, fmt.Errorf("UserContext not set in request context - ensure UserContextMiddleware is configured") 446 169 } 447 170 171 171 + // Set target repository info on UserContext 172 172 + // ATProtoClient is cached lazily via userCtx.GetATProtoClient() 173 173 + userCtx.SetTarget(did, handle, pdsEndpoint, repositoryName, holdDID) 174 174 + 448 175 // Create routing repository - routes manifests to ATProto, blobs to hold service 449 176 // The registry is stateless - no local storage is used 450 450 - // Bundle all context into a single RegistryContext struct 451 177 // 452 178 // NOTE: We create a fresh RoutingRepository on every request (no caching) because: 453 179 // 1. Each layer upload is a separate HTTP request (possibly different process) 454 180 // 2. OAuth sessions can be refreshed/invalidated between requests 455 181 // 3. The refresher already caches sessions efficiently (in-memory + DB) 456 456 - // 4. Caching the repository with a stale ATProtoClient causes refresh token errors 457 457 - registryCtx := &storage.RegistryContext{ 458 458 - DID: did, 459 459 - Handle: handle, 460 460 - HoldDID: holdDID, 461 461 - PDSEndpoint: pdsEndpoint, 462 462 - Repository: repositoryName, 463 463 - ServiceToken: serviceToken, // Cached service token from middleware validation 464 464 - ATProtoClient: atprotoClient, 465 465 - AuthMethod: authMethod, // Auth method from JWT token 466 466 - Database: nr.database, 467 467 - Authorizer: nr.authorizer, 468 468 - Refresher: nr.refresher, 469 469 - ReadmeCache: nr.readmeCache, 470 470 - } 471 471 - 472 472 - return storage.NewRoutingRepository(repo, registryCtx), nil 182 182 + // 4. ATProtoClient is now cached in UserContext via GetATProtoClient() 183 183 + return storage.NewRoutingRepository(repo, userCtx, nr.sqlDB), nil 473 184 } 474 185 475 186 // Repositories delegates to underlying namespace ··· 490 201 // findHoldDID determines which hold DID to use for blob storage 491 202 // Priority order: 492 203 // 1. User's sailor profile defaultHold (if set) 493 493 - // 2. User's own hold record (io.atcr.hold) 494 494 - // 3. AppView's default hold DID 204 204 + // 2. AppView's default hold DID 495 205 // Returns a hold DID (e.g., "did:web:hold01.atcr.io"), or empty string if none configured 496 206 func (nr *NamespaceResolver) findHoldDID(ctx context.Context, did, pdsEndpoint string) string { 497 207 // Create ATProto client (without auth - reading public records) ··· 504 214 slog.Warn("Failed to read profile", "did", did, "error", err) 505 215 } 506 216 507 507 - if profile != nil && profile.DefaultHold != nil && *profile.DefaultHold != "" { 508 508 - defaultHold := *profile.DefaultHold 509 509 - // Profile exists with defaultHold set 510 510 - // In test mode, verify it's reachable before using it 217 217 + if profile != nil && profile.DefaultHold != "" { 218 218 + // In test mode, verify the hold is reachable (fall back to default if not) 219 219 + // In production, trust the user's profile and return their hold 511 220 if nr.testMode { 512 512 - if nr.isHoldReachable(ctx, defaultHold) { 513 513 - return defaultHold 221 221 + if nr.isHoldReachable(ctx, profile.DefaultHold) { 222 222 + return profile.DefaultHold 514 223 } 515 515 - slog.Debug("User's defaultHold unreachable, falling back to default", "component", "registry/middleware/testmode", "default_hold", defaultHold) 224 224 + slog.Debug("User's defaultHold unreachable, falling back to default", "component", "registry/middleware/testmode", "default_hold", profile.DefaultHold) 516 225 return nr.defaultHoldDID 517 226 } 518 518 - return defaultHold 227 227 + return profile.DefaultHold 519 228 } 520 229 521 521 - // Profile doesn't exist or defaultHold is null/empty 522 522 - // Legacy io.atcr.hold records are no longer supported - use AppView default 230 230 + // No profile defaultHold - use AppView default 523 231 return nr.defaultHoldDID 524 232 } 525 233 ··· 542 250 return false 543 251 } 544 252 545 545 - // ExtractAuthMethod is an HTTP middleware that extracts the auth method from the JWT Authorization header 546 546 - // and stores it in the request context for later use by the registry middleware 253 253 + // ExtractAuthMethod is an HTTP middleware that extracts the auth method and puller DID from the JWT Authorization header 254 254 + // and stores them in the request context for later use by the registry middleware. 255 255 + // Also stores the HTTP method for routing decisions (GET/HEAD = pull, PUT/POST = push). 547 256 func ExtractAuthMethod(next http.Handler) http.Handler { 548 257 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 258 258 + ctx := r.Context() 259 259 + 260 260 + // Store HTTP method in context for routing decisions 261 261 + // This is used by routing_repository.go to distinguish pull (GET/HEAD) from push (PUT/POST) 262 262 + ctx = context.WithValue(ctx, "http.request.method", r.Method) 263 263 + 549 264 // Extract Authorization header 550 265 authHeader := r.Header.Get("Authorization") 551 266 if authHeader != "" { ··· 558 273 authMethod := token.ExtractAuthMethod(tokenString) 559 274 if authMethod != "" { 560 275 // Store in context for registry middleware 561 561 - ctx := context.WithValue(r.Context(), authMethodKey, authMethod) 562 562 - r = r.WithContext(ctx) 563 563 - slog.Debug("Extracted auth method from JWT", 564 564 - "component", "registry/middleware", 565 565 - "authMethod", authMethod) 276 276 + ctx = context.WithValue(ctx, authMethodKey, authMethod) 566 277 } 278 278 + 279 279 + // Extract puller DID (Subject) from JWT 280 280 + // This is the authenticated user's DID, used for service token requests 281 281 + pullerDID := token.ExtractSubject(tokenString) 282 282 + if pullerDID != "" { 283 283 + ctx = context.WithValue(ctx, pullerDIDKey, pullerDID) 284 284 + } 285 285 + 286 286 + slog.Debug("Extracted auth info from JWT", 287 287 + "component", "registry/middleware", 288 288 + "authMethod", authMethod, 289 289 + "pullerDID", pullerDID, 290 290 + "httpMethod", r.Method) 567 291 } 568 292 } 569 293 294 294 + r = r.WithContext(ctx) 570 295 next.ServeHTTP(w, r) 571 296 }) 572 297 } 298 298 + 299 299 + // UserContextMiddleware creates a UserContext from the extracted JWT claims 300 300 + // and stores it in the request context for use throughout request processing. 301 301 + // This middleware should be chained AFTER ExtractAuthMethod. 302 302 + func UserContextMiddleware(deps *auth.Dependencies) func(http.Handler) http.Handler { 303 303 + return func(next http.Handler) http.Handler { 304 304 + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 305 305 + ctx := r.Context() 306 306 + 307 307 + // Get values set by ExtractAuthMethod 308 308 + authMethod, _ := ctx.Value(authMethodKey).(string) 309 309 + pullerDID, _ := ctx.Value(pullerDIDKey).(string) 310 310 + 311 311 + // Build UserContext with all dependencies 312 312 + userCtx := auth.NewUserContext(pullerDID, authMethod, r.Method, deps) 313 313 + 314 314 + // Eagerly resolve user's PDS for authenticated users 315 315 + // This is a fast path that avoids lazy loading in most cases 316 316 + if userCtx.IsAuthenticated { 317 317 + if err := userCtx.ResolvePDS(ctx); err != nil { 318 318 + slog.Warn("Failed to resolve puller's PDS", 319 319 + "component", "registry/middleware", 320 320 + "did", pullerDID, 321 321 + "error", err) 322 322 + // Continue without PDS - will fail on service token request 323 323 + } 324 324 + 325 325 + // Ensure user has profile and crew membership (runs in background, cached) 326 326 + userCtx.EnsureUserSetup() 327 327 + } 328 328 + 329 329 + // Store UserContext in request context 330 330 + ctx = auth.WithUserContext(ctx, userCtx) 331 331 + r = r.WithContext(ctx) 332 332 + 333 333 + slog.Debug("Created UserContext", 334 334 + "component", "registry/middleware", 335 335 + "isAuthenticated", userCtx.IsAuthenticated, 336 336 + "authMethod", userCtx.AuthMethod, 337 337 + "action", userCtx.Action.String(), 338 338 + "pullerDID", pullerDID) 339 339 + 340 340 + next.ServeHTTP(w, r) 341 341 + }) 342 342 + } 343 343 + }

+2 -43

pkg/appview/middleware/registry_test.go

··· 67 67 // If we get here without panic, test passes 68 68 } 69 69 70 70 - func TestSetGlobalReadmeCache(t *testing.T) { 71 71 - SetGlobalReadmeCache(nil) 72 72 - // If we get here without panic, test passes 73 73 - } 74 74 - 75 70 // TestInitATProtoResolver tests the initialization function 76 71 func TestInitATProtoResolver(t *testing.T) { 77 72 ctx := context.Background() ··· 134 129 } 135 130 } 136 131 137 137 - // TestAuthErrorMessage tests the error message formatting 138 138 - func TestAuthErrorMessage(t *testing.T) { 139 139 - resolver := &NamespaceResolver{ 140 140 - baseURL: "https://atcr.io", 141 141 - } 142 142 - 143 143 - err := resolver.authErrorMessage("OAuth session expired") 144 144 - assert.Contains(t, err.Error(), "OAuth session expired") 145 145 - assert.Contains(t, err.Error(), "https://atcr.io/auth/oauth/login") 146 146 - } 147 147 - 148 132 // TestFindHoldDID_DefaultFallback tests default hold DID fallback 149 133 func TestFindHoldDID_DefaultFallback(t *testing.T) { 150 134 // Start a mock PDS server that returns 404 for profile and empty list for holds ··· 204 188 assert.Equal(t, "did:web:user.hold.io", holdDID, "should use sailor profile's defaultHold") 205 189 } 206 190 207 207 - // TestFindHoldDID_NoProfile tests fallback to default hold when no profile exists 208 208 - func TestFindHoldDID_NoProfile(t *testing.T) { 209 209 - // Start a mock PDS server that returns 404 for profile 210 210 - mockPDS := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 211 211 - if r.URL.Path == "/xrpc/com.atproto.repo.getRecord" { 212 212 - // Profile not found 213 213 - w.WriteHeader(http.StatusNotFound) 214 214 - return 215 215 - } 216 216 - w.WriteHeader(http.StatusNotFound) 217 217 - })) 218 218 - defer mockPDS.Close() 219 219 - 220 220 - resolver := &NamespaceResolver{ 221 221 - defaultHoldDID: "did:web:default.atcr.io", 222 222 - } 223 223 - 224 224 - ctx := context.Background() 225 225 - holdDID := resolver.findHoldDID(ctx, "did:plc:test123", mockPDS.URL) 226 226 - 227 227 - // Should fall back to default hold DID when no profile exists 228 228 - // Note: Legacy io.atcr.hold records are no longer supported 229 229 - assert.Equal(t, "did:web:default.atcr.io", holdDID, "should fall back to default hold DID") 230 230 - } 231 231 - 232 232 - // TestFindHoldDID_Priority tests that profile takes priority over default 191 191 + // TestFindHoldDID_Priority tests the priority order 233 192 func TestFindHoldDID_Priority(t *testing.T) { 234 234 - // Start a mock PDS server that returns profile 193 193 + // Start a mock PDS server that returns both profile and hold records 235 194 mockPDS := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 236 195 if r.URL.Path == "/xrpc/com.atproto.repo.getRecord" { 237 196 // Return sailor profile with defaultHold (highest priority)

-111

pkg/appview/readme/cache.go

··· 1 1 - // Package readme provides README fetching, rendering, and caching functionality 2 2 - // for container repositories. It fetches markdown content from URLs, renders it 3 3 - // to sanitized HTML using GitHub-flavored markdown, and caches the results in 4 4 - // a database with configurable TTL. 5 5 - package readme 6 6 - 7 7 - import ( 8 8 - "context" 9 9 - "database/sql" 10 10 - "log/slog" 11 11 - "time" 12 12 - ) 13 13 - 14 14 - // Cache stores rendered README HTML in the database 15 15 - type Cache struct { 16 16 - db *sql.DB 17 17 - fetcher *Fetcher 18 18 - ttl time.Duration 19 19 - } 20 20 - 21 21 - // NewCache creates a new README cache 22 22 - func NewCache(db *sql.DB, ttl time.Duration) *Cache { 23 23 - if ttl == 0 { 24 24 - ttl = 1 * time.Hour // Default TTL 25 25 - } 26 26 - return &Cache{ 27 27 - db: db, 28 28 - fetcher: NewFetcher(), 29 29 - ttl: ttl, 30 30 - } 31 31 - } 32 32 - 33 33 - // Get retrieves a README from cache or fetches it 34 34 - func (c *Cache) Get(ctx context.Context, readmeURL string) (string, error) { 35 35 - // Try to get from cache 36 36 - html, fetchedAt, err := c.getFromDB(readmeURL) 37 37 - if err == nil { 38 38 - // Check if cache is still valid 39 39 - if time.Since(fetchedAt) < c.ttl { 40 40 - return html, nil 41 41 - } 42 42 - } 43 43 - 44 44 - // Cache miss or expired, fetch fresh content 45 45 - html, err = c.fetcher.FetchAndRender(ctx, readmeURL) 46 46 - if err != nil { 47 47 - // If fetch fails but we have stale cache, return it 48 48 - if html != "" { 49 49 - return html, nil 50 50 - } 51 51 - return "", err 52 52 - } 53 53 - 54 54 - // Store in cache 55 55 - if err := c.storeInDB(readmeURL, html); err != nil { 56 56 - // Log error but don't fail - we have the content 57 57 - slog.Warn("Failed to cache README", "error", err) 58 58 - } 59 59 - 60 60 - return html, nil 61 61 - } 62 62 - 63 63 - // getFromDB retrieves cached README from database 64 64 - func (c *Cache) getFromDB(readmeURL string) (string, time.Time, error) { 65 65 - var html string 66 66 - var fetchedAt time.Time 67 67 - 68 68 - err := c.db.QueryRow(` 69 69 - SELECT html, fetched_at 70 70 - FROM readme_cache 71 71 - WHERE url = ? 72 72 - `, readmeURL).Scan(&html, &fetchedAt) 73 73 - 74 74 - if err != nil { 75 75 - return "", time.Time{}, err 76 76 - } 77 77 - 78 78 - return html, fetchedAt, nil 79 79 - } 80 80 - 81 81 - // storeInDB stores rendered README in database 82 82 - func (c *Cache) storeInDB(readmeURL, html string) error { 83 83 - _, err := c.db.Exec(` 84 84 - INSERT INTO readme_cache (url, html, fetched_at) 85 85 - VALUES (?, ?, ?) 86 86 - ON CONFLICT(url) DO UPDATE SET 87 87 - html = excluded.html, 88 88 - fetched_at = excluded.fetched_at 89 89 - `, readmeURL, html, time.Now()) 90 90 - 91 91 - return err 92 92 - } 93 93 - 94 94 - // Invalidate removes a README from the cache 95 95 - func (c *Cache) Invalidate(readmeURL string) error { 96 96 - _, err := c.db.Exec(` 97 97 - DELETE FROM readme_cache 98 98 - WHERE url = ? 99 99 - `, readmeURL) 100 100 - return err 101 101 - } 102 102 - 103 103 - // Cleanup removes expired entries from the cache 104 104 - func (c *Cache) Cleanup() error { 105 105 - cutoff := time.Now().Add(-c.ttl * 2) // Keep for 2x TTL 106 106 - _, err := c.db.Exec(` 107 107 - DELETE FROM readme_cache 108 108 - WHERE fetched_at < ? 109 109 - `, cutoff) 110 110 - return err 111 111 - }

-13

pkg/appview/readme/cache_test.go

··· 1 1 - package readme 2 2 - 3 3 - import "testing" 4 4 - 5 5 - func TestCache_Struct(t *testing.T) { 6 6 - // Simple struct test 7 7 - cache := &Cache{} 8 8 - if cache == nil { 9 9 - t.Error("Expected non-nil cache") 10 10 - } 11 11 - } 12 12 - 13 13 - // TODO: Add cache operation tests

+62 -9

pkg/appview/readme/fetcher.go

··· 7 7 "io" 8 8 "net/http" 9 9 "net/url" 10 10 + "regexp" 10 11 "strings" 11 12 "time" 12 13 ··· 180 181 return fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, path) 181 182 } 182 183 184 184 + // Is404 returns true if the error indicates a 404 Not Found response 185 185 + func Is404(err error) bool { 186 186 + return err != nil && strings.Contains(err.Error(), "unexpected status code: 404") 187 187 + } 188 188 + 189 189 + // RenderMarkdown renders a markdown string to sanitized HTML 190 190 + // This is used for rendering repo page descriptions stored in the database 191 191 + func (f *Fetcher) RenderMarkdown(content []byte) (string, error) { 192 192 + // Render markdown to HTML (no base URL for repo page descriptions) 193 193 + return f.renderMarkdown(content, "") 194 194 + } 195 195 + 196 196 + // Regex patterns for matching relative URLs that need rewriting 197 197 + // These match src="..." or href="..." where the URL is relative (not absolute, not data:, not #anchor) 198 198 + var ( 199 199 + // Match src="filename" where filename doesn't start with http://, https://, //, /, #, data:, or mailto: 200 200 + relativeSrcPattern = regexp.MustCompile(`src="([^"/:][^"]*)"`) 201 201 + // Match href="filename" where filename doesn't start with http://, https://, //, /, #, data:, or mailto: 202 202 + relativeHrefPattern = regexp.MustCompile(`href="([^"/:][^"]*)"`) 203 203 + ) 204 204 + 183 205 // rewriteRelativeURLs converts relative URLs to absolute URLs 184 206 func rewriteRelativeURLs(html, baseURL string) string { 185 207 if baseURL == "" { ··· 191 213 return html 192 214 } 193 215 194 194 - // Simple string replacement for common patterns 195 195 - // This is a basic implementation - for production, consider using an HTML parser 196 196 - html = strings.ReplaceAll(html, `src="./`, fmt.Sprintf(`src="%s`, baseURL)) 197 197 - html = strings.ReplaceAll(html, `href="./`, fmt.Sprintf(`href="%s`, baseURL)) 198 198 - html = strings.ReplaceAll(html, `src="../`, fmt.Sprintf(`src="%s../`, baseURL)) 199 199 - html = strings.ReplaceAll(html, `href="../`, fmt.Sprintf(`href="%s../`, baseURL)) 200 200 - 201 201 - // Handle root-relative URLs (starting with /) 216 216 + // Handle root-relative URLs (starting with /) first 217 217 + // Must be done before bare relative URLs to avoid double-processing 202 218 if base.Scheme != "" && base.Host != "" { 203 219 root := fmt.Sprintf("%s://%s/", base.Scheme, base.Host) 204 204 - // Replace src="/" and href="/" but not src="//" (absolute URLs) 220 220 + // Replace src="/" and href="/" but not src="//" (protocol-relative URLs) 205 221 html = strings.ReplaceAll(html, `src="/`, fmt.Sprintf(`src="%s`, root)) 206 222 html = strings.ReplaceAll(html, `href="/`, fmt.Sprintf(`href="%s`, root)) 207 223 } 224 224 + 225 225 + // Handle explicit relative paths (./something and ../something) 226 226 + html = strings.ReplaceAll(html, `src="./`, fmt.Sprintf(`src="%s`, baseURL)) 227 227 + html = strings.ReplaceAll(html, `href="./`, fmt.Sprintf(`href="%s`, baseURL)) 228 228 + html = strings.ReplaceAll(html, `src="../`, fmt.Sprintf(`src="%s../`, baseURL)) 229 229 + html = strings.ReplaceAll(html, `href="../`, fmt.Sprintf(`href="%s../`, baseURL)) 230 230 + 231 231 + // Handle bare relative URLs (e.g., src="image.png" without ./ prefix) 232 232 + // Skip URLs that are already absolute (start with http://, https://, or //) 233 233 + // Skip anchors (#), data URLs (data:), and mailto links 234 234 + html = relativeSrcPattern.ReplaceAllStringFunc(html, func(match string) string { 235 235 + // Extract the URL from src="..." 236 236 + url := match[5 : len(match)-1] // Remove 'src="' and '"' 237 237 + 238 238 + // Skip if already processed or is a special URL type 239 239 + if strings.HasPrefix(url, "http://") || strings.HasPrefix(url, "https://") || 240 240 + strings.HasPrefix(url, "//") || strings.HasPrefix(url, "#") || 241 241 + strings.HasPrefix(url, "data:") || strings.HasPrefix(url, "mailto:") { 242 242 + return match 243 243 + } 244 244 + 245 245 + return fmt.Sprintf(`src="%s%s"`, baseURL, url) 246 246 + }) 247 247 + 248 248 + html = relativeHrefPattern.ReplaceAllStringFunc(html, func(match string) string { 249 249 + // Extract the URL from href="..." 250 250 + url := match[6 : len(match)-1] // Remove 'href="' and '"' 251 251 + 252 252 + // Skip if already processed or is a special URL type 253 253 + if strings.HasPrefix(url, "http://") || strings.HasPrefix(url, "https://") || 254 254 + strings.HasPrefix(url, "//") || strings.HasPrefix(url, "#") || 255 255 + strings.HasPrefix(url, "data:") || strings.HasPrefix(url, "mailto:") { 256 256 + return match 257 257 + } 258 258 + 259 259 + return fmt.Sprintf(`href="%s%s"`, baseURL, url) 260 260 + }) 208 261 209 262 return html 210 263 }

+148

pkg/appview/readme/fetcher_test.go

··· 145 145 baseURL: "https://example.com/docs/", 146 146 expected: `<img src="https://example.com//cdn.example.com/image.png">`, 147 147 }, 148 148 + { 149 149 + name: "bare relative src (no ./ prefix)", 150 150 + html: `<img src="image.png">`, 151 151 + baseURL: "https://example.com/docs/", 152 152 + expected: `<img src="https://example.com/docs/image.png">`, 153 153 + }, 154 154 + { 155 155 + name: "bare relative href (no ./ prefix)", 156 156 + html: `<a href="page.html">link</a>`, 157 157 + baseURL: "https://example.com/docs/", 158 158 + expected: `<a href="https://example.com/docs/page.html">link</a>`, 159 159 + }, 160 160 + { 161 161 + name: "bare relative with path", 162 162 + html: `<img src="images/logo.png">`, 163 163 + baseURL: "https://example.com/docs/", 164 164 + expected: `<img src="https://example.com/docs/images/logo.png">`, 165 165 + }, 166 166 + { 167 167 + name: "anchor links unchanged", 168 168 + html: `<a href="#section">link</a>`, 169 169 + baseURL: "https://example.com/docs/", 170 170 + expected: `<a href="#section">link</a>`, 171 171 + }, 172 172 + { 173 173 + name: "data URLs unchanged", 174 174 + html: `<img src="data:image/png;base64,abc123">`, 175 175 + baseURL: "https://example.com/docs/", 176 176 + expected: `<img src="data:image/png;base64,abc123">`, 177 177 + }, 178 178 + { 179 179 + name: "mailto links unchanged", 180 180 + html: `<a href="mailto:test@example.com">email</a>`, 181 181 + baseURL: "https://example.com/docs/", 182 182 + expected: `<a href="mailto:test@example.com">email</a>`, 183 183 + }, 184 184 + { 185 185 + name: "mixed bare and prefixed relative URLs", 186 186 + html: `<img src="slices_and_lucy.png"><a href="./other.md">link</a>`, 187 187 + baseURL: "https://github.com/user/repo/blob/main/", 188 188 + expected: `<img src="https://github.com/user/repo/blob/main/slices_and_lucy.png"><a href="https://github.com/user/repo/blob/main/other.md">link</a>`, 189 189 + }, 148 190 } 149 191 150 192 for _, tt := range tests { ··· 155 197 } 156 198 }) 157 199 } 200 200 + } 201 201 + 202 202 + func TestFetcher_RenderMarkdown(t *testing.T) { 203 203 + fetcher := NewFetcher() 204 204 + 205 205 + tests := []struct { 206 206 + name string 207 207 + content string 208 208 + wantContain string 209 209 + wantErr bool 210 210 + }{ 211 211 + { 212 212 + name: "simple paragraph", 213 213 + content: "Hello, world!", 214 214 + wantContain: "<p>Hello, world!</p>", 215 215 + wantErr: false, 216 216 + }, 217 217 + { 218 218 + name: "heading", 219 219 + content: "# My App", 220 220 + wantContain: "<h1", 221 221 + wantErr: false, 222 222 + }, 223 223 + { 224 224 + name: "bold text", 225 225 + content: "This is **bold** text.", 226 226 + wantContain: "<strong>bold</strong>", 227 227 + wantErr: false, 228 228 + }, 229 229 + { 230 230 + name: "italic text", 231 231 + content: "This is *italic* text.", 232 232 + wantContain: "<em>italic</em>", 233 233 + wantErr: false, 234 234 + }, 235 235 + { 236 236 + name: "code block", 237 237 + content: "```\ncode here\n```", 238 238 + wantContain: "<pre>", 239 239 + wantErr: false, 240 240 + }, 241 241 + { 242 242 + name: "link", 243 243 + content: "[Link text](https://example.com)", 244 244 + wantContain: `href="https://example.com"`, 245 245 + wantErr: false, 246 246 + }, 247 247 + { 248 248 + name: "image", 249 249 + content: "", 250 250 + wantContain: `src="https://example.com/image.png"`, 251 251 + wantErr: false, 252 252 + }, 253 253 + { 254 254 + name: "unordered list", 255 255 + content: "- Item 1\n- Item 2", 256 256 + wantContain: "<ul>", 257 257 + wantErr: false, 258 258 + }, 259 259 + { 260 260 + name: "ordered list", 261 261 + content: "1. Item 1\n2. Item 2", 262 262 + wantContain: "<ol>", 263 263 + wantErr: false, 264 264 + }, 265 265 + { 266 266 + name: "empty content", 267 267 + content: "", 268 268 + wantContain: "", 269 269 + wantErr: false, 270 270 + }, 271 271 + { 272 272 + name: "complex markdown", 273 273 + content: "# Title\n\nA paragraph with **bold** and *italic* text.\n\n- List item 1\n- List item 2\n\n```go\nfunc main() {}\n```", 274 274 + wantContain: "<h1", 275 275 + wantErr: false, 276 276 + }, 277 277 + } 278 278 + 279 279 + for _, tt := range tests { 280 280 + t.Run(tt.name, func(t *testing.T) { 281 281 + html, err := fetcher.RenderMarkdown([]byte(tt.content)) 282 282 + if (err != nil) != tt.wantErr { 283 283 + t.Errorf("RenderMarkdown() error = %v, wantErr %v", err, tt.wantErr) 284 284 + return 285 285 + } 286 286 + if !tt.wantErr && tt.wantContain != "" { 287 287 + if !containsSubstring(html, tt.wantContain) { 288 288 + t.Errorf("RenderMarkdown() = %q, want to contain %q", html, tt.wantContain) 289 289 + } 290 290 + } 291 291 + }) 292 292 + } 293 293 + } 294 294 + 295 295 + func containsSubstring(s, substr string) bool { 296 296 + return len(substr) == 0 || (len(s) >= len(substr) && (s == substr || len(s) > 0 && containsSubstringHelper(s, substr))) 297 297 + } 298 298 + 299 299 + func containsSubstringHelper(s, substr string) bool { 300 300 + for i := 0; i <= len(s)-len(substr); i++ { 301 301 + if s[i:i+len(substr)] == substr { 302 302 + return true 303 303 + } 304 304 + } 305 305 + return false 158 306 } 159 307 160 308 // TODO: Add README fetching and caching tests

+103

pkg/appview/readme/source.go

··· 1 1 + package readme 2 2 + 3 3 + import ( 4 4 + "fmt" 5 5 + "net/url" 6 6 + "strings" 7 7 + ) 8 8 + 9 9 + // Platform represents a supported Git hosting platform 10 10 + type Platform string 11 11 + 12 12 + const ( 13 13 + PlatformGitHub Platform = "github" 14 14 + PlatformGitLab Platform = "gitlab" 15 15 + PlatformTangled Platform = "tangled" 16 16 + ) 17 17 + 18 18 + // ParseSourceURL extracts platform, user, and repo from a source repository URL. 19 19 + // Returns ok=false if the URL is not a recognized pattern. 20 20 + func ParseSourceURL(sourceURL string) (platform Platform, user, repo string, ok bool) { 21 21 + if sourceURL == "" { 22 22 + return "", "", "", false 23 23 + } 24 24 + 25 25 + parsed, err := url.Parse(sourceURL) 26 26 + if err != nil { 27 27 + return "", "", "", false 28 28 + } 29 29 + 30 30 + // Normalize: remove trailing slash and .git suffix 31 31 + path := strings.TrimSuffix(parsed.Path, "/") 32 32 + path = strings.TrimSuffix(path, ".git") 33 33 + path = strings.TrimPrefix(path, "/") 34 34 + 35 35 + if path == "" { 36 36 + return "", "", "", false 37 37 + } 38 38 + 39 39 + host := strings.ToLower(parsed.Host) 40 40 + 41 41 + switch { 42 42 + case host == "github.com": 43 43 + // GitHub: github.com/{user}/{repo} 44 44 + parts := strings.SplitN(path, "/", 3) 45 45 + if len(parts) < 2 || parts[0] == "" || parts[1] == "" { 46 46 + return "", "", "", false 47 47 + } 48 48 + return PlatformGitHub, parts[0], parts[1], true 49 49 + 50 50 + case host == "gitlab.com": 51 51 + // GitLab: gitlab.com/{user}/{repo} or gitlab.com/{group}/{subgroup}/{repo} 52 52 + // For nested groups, user = everything except last part, repo = last part 53 53 + lastSlash := strings.LastIndex(path, "/") 54 54 + if lastSlash == -1 || lastSlash == 0 { 55 55 + return "", "", "", false 56 56 + } 57 57 + user = path[:lastSlash] 58 58 + repo = path[lastSlash+1:] 59 59 + if user == "" || repo == "" { 60 60 + return "", "", "", false 61 61 + } 62 62 + return PlatformGitLab, user, repo, true 63 63 + 64 64 + case host == "tangled.org" || host == "tangled.sh": 65 65 + // Tangled: tangled.org/{user}/{repo} or tangled.sh/@{user}/{repo} (legacy) 66 66 + // Strip leading @ from user if present 67 67 + path = strings.TrimPrefix(path, "@") 68 68 + parts := strings.SplitN(path, "/", 3) 69 69 + if len(parts) < 2 || parts[0] == "" || parts[1] == "" { 70 70 + return "", "", "", false 71 71 + } 72 72 + return PlatformTangled, parts[0], parts[1], true 73 73 + 74 74 + default: 75 75 + return "", "", "", false 76 76 + } 77 77 + } 78 78 + 79 79 + // DeriveReadmeURL converts a source repository URL to a raw README URL. 80 80 + // Returns empty string if platform is not supported. 81 81 + func DeriveReadmeURL(sourceURL, branch string) string { 82 82 + platform, user, repo, ok := ParseSourceURL(sourceURL) 83 83 + if !ok { 84 84 + return "" 85 85 + } 86 86 + 87 87 + switch platform { 88 88 + case PlatformGitHub: 89 89 + // https://raw.githubusercontent.com/{user}/{repo}/refs/heads/{branch}/README.md 90 90 + return fmt.Sprintf("https://raw.githubusercontent.com/%s/%s/refs/heads/%s/README.md", user, repo, branch) 91 91 + 92 92 + case PlatformGitLab: 93 93 + // https://gitlab.com/{user}/{repo}/-/raw/{branch}/README.md 94 94 + return fmt.Sprintf("https://gitlab.com/%s/%s/-/raw/%s/README.md", user, repo, branch) 95 95 + 96 96 + case PlatformTangled: 97 97 + // https://tangled.org/{user}/{repo}/raw/{branch}/README.md 98 98 + return fmt.Sprintf("https://tangled.org/%s/%s/raw/%s/README.md", user, repo, branch) 99 99 + 100 100 + default: 101 101 + return "" 102 102 + } 103 103 + }

+241

pkg/appview/readme/source_test.go

··· 1 1 + package readme 2 2 + 3 3 + import ( 4 4 + "testing" 5 5 + ) 6 6 + 7 7 + func TestParseSourceURL(t *testing.T) { 8 8 + tests := []struct { 9 9 + name string 10 10 + sourceURL string 11 11 + wantPlatform Platform 12 12 + wantUser string 13 13 + wantRepo string 14 14 + wantOK bool 15 15 + }{ 16 16 + // GitHub 17 17 + { 18 18 + name: "github standard", 19 19 + sourceURL: "https://github.com/bigmoves/quickslice", 20 20 + wantPlatform: PlatformGitHub, 21 21 + wantUser: "bigmoves", 22 22 + wantRepo: "quickslice", 23 23 + wantOK: true, 24 24 + }, 25 25 + { 26 26 + name: "github with .git suffix", 27 27 + sourceURL: "https://github.com/user/repo.git", 28 28 + wantPlatform: PlatformGitHub, 29 29 + wantUser: "user", 30 30 + wantRepo: "repo", 31 31 + wantOK: true, 32 32 + }, 33 33 + { 34 34 + name: "github with trailing slash", 35 35 + sourceURL: "https://github.com/user/repo/", 36 36 + wantPlatform: PlatformGitHub, 37 37 + wantUser: "user", 38 38 + wantRepo: "repo", 39 39 + wantOK: true, 40 40 + }, 41 41 + { 42 42 + name: "github with subpath (ignored)", 43 43 + sourceURL: "https://github.com/user/repo/tree/main", 44 44 + wantPlatform: PlatformGitHub, 45 45 + wantUser: "user", 46 46 + wantRepo: "repo", 47 47 + wantOK: true, 48 48 + }, 49 49 + { 50 50 + name: "github user only", 51 51 + sourceURL: "https://github.com/user", 52 52 + wantOK: false, 53 53 + }, 54 54 + 55 55 + // GitLab 56 56 + { 57 57 + name: "gitlab standard", 58 58 + sourceURL: "https://gitlab.com/user/repo", 59 59 + wantPlatform: PlatformGitLab, 60 60 + wantUser: "user", 61 61 + wantRepo: "repo", 62 62 + wantOK: true, 63 63 + }, 64 64 + { 65 65 + name: "gitlab nested groups", 66 66 + sourceURL: "https://gitlab.com/group/subgroup/repo", 67 67 + wantPlatform: PlatformGitLab, 68 68 + wantUser: "group/subgroup", 69 69 + wantRepo: "repo", 70 70 + wantOK: true, 71 71 + }, 72 72 + { 73 73 + name: "gitlab deep nested groups", 74 74 + sourceURL: "https://gitlab.com/a/b/c/d/repo", 75 75 + wantPlatform: PlatformGitLab, 76 76 + wantUser: "a/b/c/d", 77 77 + wantRepo: "repo", 78 78 + wantOK: true, 79 79 + }, 80 80 + { 81 81 + name: "gitlab with .git suffix", 82 82 + sourceURL: "https://gitlab.com/user/repo.git", 83 83 + wantPlatform: PlatformGitLab, 84 84 + wantUser: "user", 85 85 + wantRepo: "repo", 86 86 + wantOK: true, 87 87 + }, 88 88 + 89 89 + // Tangled 90 90 + { 91 91 + name: "tangled standard", 92 92 + sourceURL: "https://tangled.org/evan.jarrett.net/at-container-registry", 93 93 + wantPlatform: PlatformTangled, 94 94 + wantUser: "evan.jarrett.net", 95 95 + wantRepo: "at-container-registry", 96 96 + wantOK: true, 97 97 + }, 98 98 + { 99 99 + name: "tangled with legacy @ prefix", 100 100 + sourceURL: "https://tangled.org/@evan.jarrett.net/at-container-registry", 101 101 + wantPlatform: PlatformTangled, 102 102 + wantUser: "evan.jarrett.net", 103 103 + wantRepo: "at-container-registry", 104 104 + wantOK: true, 105 105 + }, 106 106 + { 107 107 + name: "tangled.sh domain", 108 108 + sourceURL: "https://tangled.sh/user/repo", 109 109 + wantPlatform: PlatformTangled, 110 110 + wantUser: "user", 111 111 + wantRepo: "repo", 112 112 + wantOK: true, 113 113 + }, 114 114 + { 115 115 + name: "tangled with trailing slash", 116 116 + sourceURL: "https://tangled.org/user/repo/", 117 117 + wantPlatform: PlatformTangled, 118 118 + wantUser: "user", 119 119 + wantRepo: "repo", 120 120 + wantOK: true, 121 121 + }, 122 122 + 123 123 + // Unsupported / Invalid 124 124 + { 125 125 + name: "unsupported platform", 126 126 + sourceURL: "https://bitbucket.org/user/repo", 127 127 + wantOK: false, 128 128 + }, 129 129 + { 130 130 + name: "empty url", 131 131 + sourceURL: "", 132 132 + wantOK: false, 133 133 + }, 134 134 + { 135 135 + name: "invalid url", 136 136 + sourceURL: "not-a-url", 137 137 + wantOK: false, 138 138 + }, 139 139 + { 140 140 + name: "just host", 141 141 + sourceURL: "https://github.com", 142 142 + wantOK: false, 143 143 + }, 144 144 + } 145 145 + 146 146 + for _, tt := range tests { 147 147 + t.Run(tt.name, func(t *testing.T) { 148 148 + platform, user, repo, ok := ParseSourceURL(tt.sourceURL) 149 149 + if ok != tt.wantOK { 150 150 + t.Errorf("ParseSourceURL(%q) ok = %v, want %v", tt.sourceURL, ok, tt.wantOK) 151 151 + return 152 152 + } 153 153 + if !tt.wantOK { 154 154 + return 155 155 + } 156 156 + if platform != tt.wantPlatform { 157 157 + t.Errorf("ParseSourceURL(%q) platform = %v, want %v", tt.sourceURL, platform, tt.wantPlatform) 158 158 + } 159 159 + if user != tt.wantUser { 160 160 + t.Errorf("ParseSourceURL(%q) user = %q, want %q", tt.sourceURL, user, tt.wantUser) 161 161 + } 162 162 + if repo != tt.wantRepo { 163 163 + t.Errorf("ParseSourceURL(%q) repo = %q, want %q", tt.sourceURL, repo, tt.wantRepo) 164 164 + } 165 165 + }) 166 166 + } 167 167 + } 168 168 + 169 169 + func TestDeriveReadmeURL(t *testing.T) { 170 170 + tests := []struct { 171 171 + name string 172 172 + sourceURL string 173 173 + branch string 174 174 + want string 175 175 + }{ 176 176 + // GitHub 177 177 + { 178 178 + name: "github main", 179 179 + sourceURL: "https://github.com/bigmoves/quickslice", 180 180 + branch: "main", 181 181 + want: "https://raw.githubusercontent.com/bigmoves/quickslice/refs/heads/main/README.md", 182 182 + }, 183 183 + { 184 184 + name: "github master", 185 185 + sourceURL: "https://github.com/user/repo", 186 186 + branch: "master", 187 187 + want: "https://raw.githubusercontent.com/user/repo/refs/heads/master/README.md", 188 188 + }, 189 189 + 190 190 + // GitLab 191 191 + { 192 192 + name: "gitlab main", 193 193 + sourceURL: "https://gitlab.com/user/repo", 194 194 + branch: "main", 195 195 + want: "https://gitlab.com/user/repo/-/raw/main/README.md", 196 196 + }, 197 197 + { 198 198 + name: "gitlab nested groups", 199 199 + sourceURL: "https://gitlab.com/group/subgroup/repo", 200 200 + branch: "main", 201 201 + want: "https://gitlab.com/group/subgroup/repo/-/raw/main/README.md", 202 202 + }, 203 203 + 204 204 + // Tangled 205 205 + { 206 206 + name: "tangled main", 207 207 + sourceURL: "https://tangled.org/evan.jarrett.net/at-container-registry", 208 208 + branch: "main", 209 209 + want: "https://tangled.org/evan.jarrett.net/at-container-registry/raw/main/README.md", 210 210 + }, 211 211 + { 212 212 + name: "tangled legacy @ prefix", 213 213 + sourceURL: "https://tangled.org/@user/repo", 214 214 + branch: "main", 215 215 + want: "https://tangled.org/user/repo/raw/main/README.md", 216 216 + }, 217 217 + 218 218 + // Unsupported 219 219 + { 220 220 + name: "unsupported platform", 221 221 + sourceURL: "https://bitbucket.org/user/repo", 222 222 + branch: "main", 223 223 + want: "", 224 224 + }, 225 225 + { 226 226 + name: "empty url", 227 227 + sourceURL: "", 228 228 + branch: "main", 229 229 + want: "", 230 230 + }, 231 231 + } 232 232 + 233 233 + for _, tt := range tests { 234 234 + t.Run(tt.name, func(t *testing.T) { 235 235 + got := DeriveReadmeURL(tt.sourceURL, tt.branch) 236 236 + if got != tt.want { 237 237 + t.Errorf("DeriveReadmeURL(%q, %q) = %q, want %q", tt.sourceURL, tt.branch, got, tt.want) 238 238 + } 239 239 + }) 240 240 + } 241 241 + }

+37 -15

pkg/appview/routes/routes.go

··· 27 27 BaseURL string 28 28 DeviceStore *db.DeviceStore 29 29 HealthChecker *holdhealth.Checker 30 30 - ReadmeCache *readme.Cache 30 30 + ReadmeFetcher *readme.Fetcher 31 31 Templates *template.Template 32 32 + DefaultHoldDID string // For UserContext creation 32 33 } 33 34 34 35 // RegisterUIRoutes registers all web UI and API routes on the provided router ··· 36 37 // Extract trimmed registry URL for templates 37 38 registryURL := trimRegistryURL(deps.BaseURL) 38 39 40 40 + // Create web auth dependencies for middleware (enables UserContext in web routes) 41 41 + webAuthDeps := middleware.WebAuthDeps{ 42 42 + SessionStore: deps.SessionStore, 43 43 + Database: deps.Database, 44 44 + Refresher: deps.Refresher, 45 45 + DefaultHoldDID: deps.DefaultHoldDID, 46 46 + } 47 47 + 39 48 // OAuth login routes (public) 40 49 router.Get("/auth/oauth/login", (&uihandlers.LoginHandler{ 41 50 Templates: deps.Templates, ··· 45 54 46 55 // Public routes (with optional auth for navbar) 47 56 // SECURITY: Public pages use read-only DB 48 48 - router.Get("/", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 57 57 + router.Get("/", middleware.OptionalAuthWithDeps(webAuthDeps)( 49 58 &uihandlers.HomeHandler{ 50 59 DB: deps.ReadOnlyDB, 51 60 Templates: deps.Templates, ··· 53 62 }, 54 63 ).ServeHTTP) 55 64 56 56 - router.Get("/api/recent-pushes", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 65 65 + router.Get("/api/recent-pushes", middleware.OptionalAuthWithDeps(webAuthDeps)( 57 66 &uihandlers.RecentPushesHandler{ 58 67 DB: deps.ReadOnlyDB, 59 68 Templates: deps.Templates, ··· 63 72 ).ServeHTTP) 64 73 65 74 // SECURITY: Search uses read-only DB to prevent writes and limit access to sensitive tables 66 66 - router.Get("/search", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 75 75 + router.Get("/search", middleware.OptionalAuthWithDeps(webAuthDeps)( 67 76 &uihandlers.SearchHandler{ 68 77 DB: deps.ReadOnlyDB, 69 78 Templates: deps.Templates, ··· 71 80 }, 72 81 ).ServeHTTP) 73 82 74 74 - router.Get("/api/search-results", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 83 83 + router.Get("/api/search-results", middleware.OptionalAuthWithDeps(webAuthDeps)( 75 84 &uihandlers.SearchResultsHandler{ 76 85 DB: deps.ReadOnlyDB, 77 86 Templates: deps.Templates, ··· 80 89 ).ServeHTTP) 81 90 82 91 // Install page (public) 83 83 - router.Get("/install", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 92 92 + router.Get("/install", middleware.OptionalAuthWithDeps(webAuthDeps)( 84 93 &uihandlers.InstallHandler{ 85 94 Templates: deps.Templates, 86 95 RegistryURL: registryURL, ··· 88 97 ).ServeHTTP) 89 98 90 99 // API route for repository stats (public, read-only) 91 91 - router.Get("/api/stats/{handle}/{repository}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 100 100 + router.Get("/api/stats/{handle}/{repository}", middleware.OptionalAuthWithDeps(webAuthDeps)( 92 101 &uihandlers.GetStatsHandler{ 93 102 DB: deps.ReadOnlyDB, 94 103 Directory: deps.OAuthClientApp.Dir, ··· 96 105 ).ServeHTTP) 97 106 98 107 // API routes for stars (require authentication) 99 99 - router.Post("/api/stars/{handle}/{repository}", middleware.RequireAuth(deps.SessionStore, deps.Database)( 108 108 + router.Post("/api/stars/{handle}/{repository}", middleware.RequireAuthWithDeps(webAuthDeps)( 100 109 &uihandlers.StarRepositoryHandler{ 101 110 DB: deps.Database, // Needs write access 102 111 Directory: deps.OAuthClientApp.Dir, ··· 104 113 }, 105 114 ).ServeHTTP) 106 115 107 107 - router.Delete("/api/stars/{handle}/{repository}", middleware.RequireAuth(deps.SessionStore, deps.Database)( 116 116 + router.Delete("/api/stars/{handle}/{repository}", middleware.RequireAuthWithDeps(webAuthDeps)( 108 117 &uihandlers.UnstarRepositoryHandler{ 109 118 DB: deps.Database, // Needs write access 110 119 Directory: deps.OAuthClientApp.Dir, ··· 112 121 }, 113 122 ).ServeHTTP) 114 123 115 115 - router.Get("/api/stars/{handle}/{repository}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 124 124 + router.Get("/api/stars/{handle}/{repository}", middleware.OptionalAuthWithDeps(webAuthDeps)( 116 125 &uihandlers.CheckStarHandler{ 117 126 DB: deps.ReadOnlyDB, // Read-only check 118 127 Directory: deps.OAuthClientApp.Dir, ··· 121 130 ).ServeHTTP) 122 131 123 132 // Manifest detail API endpoint 124 124 - router.Get("/api/manifests/{handle}/{repository}/{digest}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 133 133 + router.Get("/api/manifests/{handle}/{repository}/{digest}", middleware.OptionalAuthWithDeps(webAuthDeps)( 125 134 &uihandlers.ManifestDetailHandler{ 126 135 DB: deps.ReadOnlyDB, 127 136 Directory: deps.OAuthClientApp.Dir, ··· 133 142 HealthChecker: deps.HealthChecker, 134 143 }).ServeHTTP) 135 144 136 136 - router.Get("/u/{handle}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 145 145 + router.Get("/u/{handle}", middleware.OptionalAuthWithDeps(webAuthDeps)( 137 146 &uihandlers.UserPageHandler{ 138 147 DB: deps.ReadOnlyDB, 139 148 Templates: deps.Templates, ··· 152 161 DB: deps.ReadOnlyDB, 153 162 }).ServeHTTP) 154 163 155 155 - router.Get("/r/{handle}/{repository}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 164 164 + router.Get("/r/{handle}/{repository}", middleware.OptionalAuthWithDeps(webAuthDeps)( 156 165 &uihandlers.RepositoryPageHandler{ 157 166 DB: deps.ReadOnlyDB, 158 167 Templates: deps.Templates, ··· 160 169 Directory: deps.OAuthClientApp.Dir, 161 170 Refresher: deps.Refresher, 162 171 HealthChecker: deps.HealthChecker, 163 163 - ReadmeCache: deps.ReadmeCache, 172 172 + ReadmeFetcher: deps.ReadmeFetcher, 164 173 }, 165 174 ).ServeHTTP) 166 175 167 176 // Authenticated routes 168 177 router.Group(func(r chi.Router) { 169 169 - r.Use(middleware.RequireAuth(deps.SessionStore, deps.Database)) 178 178 + r.Use(middleware.RequireAuthWithDeps(webAuthDeps)) 170 179 171 180 r.Get("/settings", (&uihandlers.SettingsHandler{ 172 181 Templates: deps.Templates, ··· 188 197 Refresher: deps.Refresher, 189 198 }).ServeHTTP) 190 199 200 200 + r.Post("/api/images/{repository}/avatar", (&uihandlers.UploadAvatarHandler{ 201 201 + DB: deps.Database, 202 202 + Refresher: deps.Refresher, 203 203 + }).ServeHTTP) 204 204 + 191 205 // Device approval page (authenticated) 192 206 r.Get("/device", (&uihandlers.DeviceApprovalPageHandler{ 193 207 Store: deps.DeviceStore, ··· 219 233 } 220 234 router.Get("/auth/logout", logoutHandler.ServeHTTP) 221 235 router.Post("/auth/logout", logoutHandler.ServeHTTP) 236 236 + 237 237 + // Custom 404 handler 238 238 + router.NotFound(middleware.OptionalAuthWithDeps(webAuthDeps)( 239 239 + &uihandlers.NotFoundHandler{ 240 240 + Templates: deps.Templates, 241 241 + RegistryURL: registryURL, 242 242 + }, 243 243 + ).ServeHTTP) 222 244 } 223 245 224 246 // CORSMiddleware returns a middleware that sets CORS headers for API endpoints

+160 -49

pkg/appview/static/css/style.css

··· 38 38 --version-badge-text: #7b1fa2; 39 39 --version-badge-border: #ba68c8; 40 40 41 41 + /* Attestation badge */ 42 42 + --attestation-badge-bg: #d1fae5; 43 43 + --attestation-badge-text: #065f46; 44 44 + 41 45 /* Hero section colors */ 42 46 --hero-bg-start: #f8f9fa; 43 47 --hero-bg-end: #e9ecef; ··· 90 94 --version-badge-text: #ffffff; 91 95 --version-badge-border: #ba68c8; 92 96 97 97 + /* Attestation badge */ 98 98 + --attestation-badge-bg: #065f46; 99 99 + --attestation-badge-text: #6ee7b7; 100 100 + 93 101 /* Hero section colors */ 94 102 --hero-bg-start: #2d2d2d; 95 103 --hero-bg-end: #1a1a1a; ··· 109 117 } 110 118 111 119 body { 112 112 - font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; 120 120 + font-family: 121 121 + -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", 122 122 + Arial, sans-serif; 113 123 background: var(--bg); 114 124 color: var(--fg); 115 125 line-height: 1.6; ··· 170 180 } 171 181 172 182 .nav-links a:hover { 173 173 - background:var(--secondary); 183 183 + background: var(--secondary); 174 184 border-radius: 4px; 175 185 } 176 186 ··· 193 203 } 194 204 195 205 .user-menu-btn:hover { 196 196 - background:var(--secondary); 206 206 + background: var(--secondary); 197 207 } 198 208 199 209 .user-avatar { ··· 266 276 position: absolute; 267 277 top: calc(100% + 0.5rem); 268 278 right: 0; 269 269 - background:var(--bg); 279 279 + background: var(--bg); 270 280 border: 1px solid var(--border); 271 281 border-radius: 8px; 272 282 box-shadow: var(--shadow-lg); ··· 287 297 color: var(--fg); 288 298 text-decoration: none; 289 299 border: none; 290 290 - background:var(--bg); 300 300 + background: var(--bg); 291 301 cursor: pointer; 292 302 transition: background 0.2s; 293 303 font-size: 0.95rem; ··· 309 319 } 310 320 311 321 /* Buttons */ 312 312 - button, .btn, .btn-primary, .btn-secondary { 322 322 + button, 323 323 + .btn, 324 324 + .btn-primary, 325 325 + .btn-secondary { 313 326 padding: 0.5rem 1rem; 314 327 background: var(--button-primary); 315 328 color: var(--btn-text); ··· 322 335 transition: opacity 0.2s; 323 336 } 324 337 325 325 - button:hover, .btn:hover, .btn-primary:hover, .btn-secondary:hover { 338 338 + button:hover, 339 339 + .btn:hover, 340 340 + .btn-primary:hover, 341 341 + .btn-secondary:hover { 326 342 opacity: 0.9; 327 343 } 328 344 ··· 393 409 } 394 410 395 411 /* Cards */ 396 396 - .push-card, .repository-card { 412 412 + .push-card, 413 413 + .repository-card { 397 414 border: 1px solid var(--border); 398 415 border-radius: 8px; 399 416 padding: 1rem; 400 417 margin-bottom: 1rem; 401 401 - background:var(--bg); 418 418 + background: var(--bg); 402 419 box-shadow: var(--shadow-sm); 403 420 } 404 421 ··· 449 466 } 450 467 451 468 .digest { 452 452 - font-family: 'Monaco', 'Courier New', monospace; 469 469 + font-family: "Monaco", "Courier New", monospace; 453 470 font-size: 0.85rem; 454 471 background: var(--code-bg); 455 472 padding: 0.1rem 0.3rem; ··· 492 509 } 493 510 494 511 .docker-command-text { 495 495 - font-family: 'Monaco', 'Courier New', monospace; 512 512 + font-family: "Monaco", "Courier New", monospace; 496 513 font-size: 0.85rem; 497 514 color: var(--fg); 498 515 flex: 0 1 auto; ··· 510 527 border-radius: 4px; 511 528 opacity: 0; 512 529 visibility: hidden; 513 513 - transition: opacity 0.2s, visibility 0.2s; 530 530 + transition: 531 531 + opacity 0.2s, 532 532 + visibility 0.2s; 514 533 } 515 534 516 535 .docker-command:hover .copy-btn { ··· 752 771 } 753 772 754 773 .repo-stats { 755 755 - color:var(--border-dark); 774 774 + color: var(--border-dark); 756 775 font-size: 0.9rem; 757 776 display: flex; 758 777 gap: 0.5rem; ··· 781 800 padding-top: 1rem; 782 801 } 783 802 784 784 - .tags-section, .manifests-section { 803 803 + .tags-section, 804 804 + .manifests-section { 785 805 margin-bottom: 1.5rem; 786 806 } 787 807 788 788 - .tags-section h3, .manifests-section h3 { 808 808 + .tags-section h3, 809 809 + .manifests-section h3 { 789 810 font-size: 1.1rem; 790 811 margin-bottom: 0.5rem; 791 812 color: var(--secondary); 792 813 } 793 814 794 794 - .tag-row, .manifest-row { 815 815 + .tag-row, 816 816 + .manifest-row { 795 817 display: flex; 796 818 gap: 1rem; 797 819 align-items: center; ··· 799 821 border-bottom: 1px solid var(--border); 800 822 } 801 823 802 802 - .tag-row:last-child, .manifest-row:last-child { 824 824 + .tag-row:last-child, 825 825 + .manifest-row:last-child { 803 826 border-bottom: none; 804 827 } 805 828 ··· 821 844 } 822 845 823 846 .settings-section { 824 824 - background:var(--bg); 847 847 + background: var(--bg); 825 848 border: 1px solid var(--border); 826 849 border-radius: 8px; 827 850 padding: 1.5rem; ··· 918 941 padding: 1rem; 919 942 border-radius: 4px; 920 943 overflow-x: auto; 921 921 - font-family: 'Monaco', 'Courier New', monospace; 944 944 + font-family: "Monaco", "Courier New", monospace; 922 945 font-size: 0.85rem; 923 946 border: 1px solid var(--border); 924 947 } ··· 1004 1027 margin: 1rem 0; 1005 1028 } 1006 1029 1007 1007 - /* Load More Button */ 1008 1008 - .load-more { 1009 1009 - width: 100%; 1010 1010 - margin-top: 1rem; 1011 1011 - background: var(--secondary); 1012 1012 - } 1013 1013 - 1014 1030 /* Login Page */ 1015 1031 .login-page { 1016 1032 max-width: 450px; ··· 1031 1047 } 1032 1048 1033 1049 .login-form { 1034 1034 - background:var(--bg); 1050 1050 + background: var(--bg); 1035 1051 padding: 2rem; 1036 1052 border-radius: 8px; 1037 1053 border: 1px solid var(--border); ··· 1182 1198 } 1183 1199 1184 1200 .repository-header { 1185 1185 - background:var(--bg); 1201 1201 + background: var(--bg); 1186 1202 border: 1px solid var(--border); 1187 1203 border-radius: 8px; 1188 1204 padding: 2rem; ··· 1220 1236 flex-shrink: 0; 1221 1237 } 1222 1238 1239 1239 + .repo-hero-icon-wrapper { 1240 1240 + position: relative; 1241 1241 + display: inline-block; 1242 1242 + flex-shrink: 0; 1243 1243 + } 1244 1244 + 1245 1245 + .avatar-upload-overlay { 1246 1246 + position: absolute; 1247 1247 + inset: 0; 1248 1248 + display: flex; 1249 1249 + align-items: center; 1250 1250 + justify-content: center; 1251 1251 + background: rgba(0, 0, 0, 0.5); 1252 1252 + border-radius: 12px; 1253 1253 + opacity: 0; 1254 1254 + cursor: pointer; 1255 1255 + transition: opacity 0.2s ease; 1256 1256 + } 1257 1257 + 1258 1258 + .avatar-upload-overlay i { 1259 1259 + color: white; 1260 1260 + width: 24px; 1261 1261 + height: 24px; 1262 1262 + } 1263 1263 + 1264 1264 + .repo-hero-icon-wrapper:hover .avatar-upload-overlay { 1265 1265 + opacity: 1; 1266 1266 + } 1267 1267 + 1223 1268 .repo-hero-info { 1224 1269 flex: 1; 1225 1270 } ··· 1290 1335 } 1291 1336 1292 1337 .star-btn.starred { 1293 1293 - border-color:var(--star); 1338 1338 + border-color: var(--star); 1294 1339 background: var(--code-bg); 1295 1340 } 1296 1341 ··· 1374 1419 } 1375 1420 1376 1421 .repo-section { 1377 1377 - background:var(--bg); 1422 1422 + background: var(--bg); 1378 1423 border: 1px solid var(--border); 1379 1424 border-radius: 8px; 1380 1425 padding: 1.5rem; ··· 1389 1434 border-bottom: 2px solid var(--border); 1390 1435 } 1391 1436 1392 1392 - .tags-list, .manifests-list { 1437 1437 + .tags-list, 1438 1438 + .manifests-list { 1393 1439 display: flex; 1394 1440 flex-direction: column; 1395 1441 gap: 1rem; 1396 1442 } 1397 1443 1398 1398 - .tag-item, .manifest-item { 1444 1444 + .tag-item, 1445 1445 + .manifest-item { 1399 1446 border: 1px solid var(--border); 1400 1447 border-radius: 6px; 1401 1448 padding: 1rem; 1402 1449 background: var(--hover-bg); 1403 1450 } 1404 1451 1405 1405 - .tag-item-header, .manifest-item-header { 1452 1452 + .tag-item-header, 1453 1453 + .manifest-item-header { 1406 1454 display: flex; 1407 1455 justify-content: space-between; 1408 1456 align-items: center; ··· 1532 1580 color: var(--fg); 1533 1581 border: 1px solid var(--border); 1534 1582 white-space: nowrap; 1535 1535 - font-family: 'Monaco', 'Courier New', monospace; 1583 1583 + font-family: "Monaco", "Courier New", monospace; 1536 1584 } 1537 1585 1538 1586 .platforms-inline { ··· 1570 1618 .badge-attestation { 1571 1619 display: inline-flex; 1572 1620 align-items: center; 1573 1573 - gap: 0.35rem; 1574 1574 - padding: 0.25rem 0.5rem; 1575 1575 - background: #f3e8ff; 1576 1576 - color: #7c3aed; 1577 1577 - border: 1px solid #c4b5fd; 1578 1578 - border-radius: 4px; 1579 1579 - font-size: 0.85rem; 1621 1621 + gap: 0.3rem; 1622 1622 + padding: 0.25rem 0.6rem; 1623 1623 + background: var(--attestation-badge-bg); 1624 1624 + color: var(--attestation-badge-text); 1625 1625 + border-radius: 12px; 1626 1626 + font-size: 0.75rem; 1580 1627 font-weight: 600; 1581 1628 margin-left: 0.5rem; 1629 1629 + vertical-align: middle; 1630 1630 + white-space: nowrap; 1582 1631 } 1583 1632 1584 1633 .badge-attestation .lucide { 1585 1585 - width: 0.9rem; 1586 1586 - height: 0.9rem; 1634 1634 + width: 0.75rem; 1635 1635 + height: 0.75rem; 1587 1636 } 1588 1637 1589 1638 /* Featured Repositories Section */ ··· 1736 1785 1737 1786 /* Hero Section */ 1738 1787 .hero-section { 1739 1739 - background: linear-gradient(135deg, var(--hero-bg-start) 0%, var(--hero-bg-end) 100%); 1788 1788 + background: linear-gradient( 1789 1789 + 135deg, 1790 1790 + var(--hero-bg-start) 0%, 1791 1791 + var(--hero-bg-end) 100% 1792 1792 + ); 1740 1793 padding: 4rem 2rem; 1741 1794 border-bottom: 1px solid var(--border); 1742 1795 } ··· 1801 1854 .terminal-content { 1802 1855 padding: 1.5rem; 1803 1856 margin: 0; 1804 1804 - font-family: 'Monaco', 'Courier New', monospace; 1857 1857 + font-family: "Monaco", "Courier New", monospace; 1805 1858 font-size: 0.95rem; 1806 1859 line-height: 1.8; 1807 1860 color: var(--terminal-text); ··· 1957 2010 } 1958 2011 1959 2012 .code-block code { 1960 1960 - font-family: 'Monaco', 'Menlo', monospace; 2013 2013 + font-family: "Monaco", "Menlo", monospace; 1961 2014 font-size: 0.9rem; 1962 2015 line-height: 1.5; 1963 2016 white-space: pre-wrap; ··· 2014 2067 flex-wrap: wrap; 2015 2068 } 2016 2069 2017 2017 - .tag-row, .manifest-row { 2070 2070 + .tag-row, 2071 2071 + .manifest-row { 2018 2072 flex-wrap: wrap; 2019 2073 } 2020 2074 ··· 2103 2157 /* README and Repository Layout */ 2104 2158 .repo-content-layout { 2105 2159 display: grid; 2106 2106 - grid-template-columns: 7fr 3fr; 2160 2160 + grid-template-columns: 6fr 4fr; 2107 2161 gap: 2rem; 2108 2162 margin-top: 2rem; 2109 2163 } ··· 2214 2268 background: var(--code-bg); 2215 2269 padding: 0.2rem 0.4rem; 2216 2270 border-radius: 3px; 2217 2217 - font-family: 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, monospace; 2271 2271 + font-family: 2272 2272 + "SFMono-Regular", Consolas, "Liberation Mono", Menlo, monospace; 2218 2273 font-size: 0.9em; 2219 2274 } 2220 2275 ··· 2318 2373 padding: 0.75rem; 2319 2374 } 2320 2375 } 2376 2376 + 2377 2377 + /* 404 Error Page */ 2378 2378 + .error-page { 2379 2379 + display: flex; 2380 2380 + align-items: center; 2381 2381 + justify-content: center; 2382 2382 + min-height: calc(100vh - 60px); 2383 2383 + text-align: center; 2384 2384 + padding: 2rem; 2385 2385 + } 2386 2386 + 2387 2387 + .error-content { 2388 2388 + max-width: 480px; 2389 2389 + } 2390 2390 + 2391 2391 + .error-icon { 2392 2392 + width: 80px; 2393 2393 + height: 80px; 2394 2394 + color: var(--secondary); 2395 2395 + margin-bottom: 1.5rem; 2396 2396 + } 2397 2397 + 2398 2398 + .error-code { 2399 2399 + font-size: 8rem; 2400 2400 + font-weight: 700; 2401 2401 + color: var(--primary); 2402 2402 + line-height: 1; 2403 2403 + margin-bottom: 0.5rem; 2404 2404 + } 2405 2405 + 2406 2406 + .error-content h1 { 2407 2407 + font-size: 2rem; 2408 2408 + margin-bottom: 0.75rem; 2409 2409 + color: var(--fg); 2410 2410 + } 2411 2411 + 2412 2412 + .error-content p { 2413 2413 + font-size: 1.125rem; 2414 2414 + color: var(--secondary); 2415 2415 + margin-bottom: 2rem; 2416 2416 + } 2417 2417 + 2418 2418 + @media (max-width: 768px) { 2419 2419 + .error-code { 2420 2420 + font-size: 5rem; 2421 2421 + } 2422 2422 + 2423 2423 + .error-icon { 2424 2424 + width: 60px; 2425 2425 + height: 60px; 2426 2426 + } 2427 2427 + 2428 2428 + .error-content h1 { 2429 2429 + font-size: 1.5rem; 2430 2430 + } 2431 2431 + }

+63

pkg/appview/static/js/app.js

··· 434 434 } 435 435 } 436 436 437 437 + // Upload repository avatar 438 438 + async function uploadAvatar(input, repository) { 439 439 + const file = input.files[0]; 440 440 + if (!file) return; 441 441 + 442 442 + // Client-side validation 443 443 + const validTypes = ['image/png', 'image/jpeg', 'image/webp']; 444 444 + if (!validTypes.includes(file.type)) { 445 445 + alert('Please select a PNG, JPEG, or WebP image'); 446 446 + return; 447 447 + } 448 448 + if (file.size > 3 * 1024 * 1024) { 449 449 + alert('Image must be less than 3MB'); 450 450 + return; 451 451 + } 452 452 + 453 453 + const formData = new FormData(); 454 454 + formData.append('avatar', file); 455 455 + 456 456 + try { 457 457 + const response = await fetch(`/api/images/${repository}/avatar`, { 458 458 + method: 'POST', 459 459 + credentials: 'include', 460 460 + body: formData 461 461 + }); 462 462 + 463 463 + if (response.status === 401) { 464 464 + window.location.href = '/auth/oauth/login'; 465 465 + return; 466 466 + } 467 467 + 468 468 + if (!response.ok) { 469 469 + const error = await response.text(); 470 470 + throw new Error(error); 471 471 + } 472 472 + 473 473 + const data = await response.json(); 474 474 + 475 475 + // Update the avatar image on the page 476 476 + const wrapper = document.querySelector('.repo-hero-icon-wrapper'); 477 477 + if (!wrapper) return; 478 478 + 479 479 + const existingImg = wrapper.querySelector('.repo-hero-icon'); 480 480 + const placeholder = wrapper.querySelector('.repo-hero-icon-placeholder'); 481 481 + 482 482 + if (existingImg) { 483 483 + existingImg.src = data.avatarURL; 484 484 + } else if (placeholder) { 485 485 + const newImg = document.createElement('img'); 486 486 + newImg.src = data.avatarURL; 487 487 + newImg.alt = repository; 488 488 + newImg.className = 'repo-hero-icon'; 489 489 + placeholder.replaceWith(newImg); 490 490 + } 491 491 + } catch (err) { 492 492 + console.error('Error uploading avatar:', err); 493 493 + alert('Failed to upload avatar: ' + err.message); 494 494 + } 495 495 + 496 496 + // Clear input so same file can be selected again 497 497 + input.value = ''; 498 498 + } 499 499 + 437 500 // Close modal when clicking outside 438 501 document.addEventListener('DOMContentLoaded', () => { 439 502 const modal = document.getElementById('manifest-delete-modal');

-42

pkg/appview/storage/context.go

··· 1 1 - package storage 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - 6 6 - "atcr.io/pkg/atproto" 7 7 - "atcr.io/pkg/auth" 8 8 - "atcr.io/pkg/auth/oauth" 9 9 - ) 10 10 - 11 11 - // DatabaseMetrics interface for tracking pull/push counts and querying hold DIDs 12 12 - type DatabaseMetrics interface { 13 13 - IncrementPullCount(did, repository string) error 14 14 - IncrementPushCount(did, repository string) error 15 15 - GetLatestHoldDIDForRepo(did, repository string) (string, error) 16 16 - } 17 17 - 18 18 - // ReadmeCache interface for README content caching 19 19 - type ReadmeCache interface { 20 20 - Get(ctx context.Context, url string) (string, error) 21 21 - Invalidate(url string) error 22 22 - } 23 23 - 24 24 - // RegistryContext bundles all the context needed for registry operations 25 25 - // This includes both per-request data (DID, hold) and shared services 26 26 - type RegistryContext struct { 27 27 - // Per-request identity and routing information 28 28 - DID string // User's DID (e.g., "did:plc:abc123") 29 29 - Handle string // User's handle (e.g., "alice.bsky.social") 30 30 - HoldDID string // Hold service DID (e.g., "did:web:hold01.atcr.io") 31 31 - PDSEndpoint string // User's PDS endpoint URL 32 32 - Repository string // Image repository name (e.g., "debian") 33 33 - ServiceToken string // Service token for hold authentication (cached by middleware) 34 34 - ATProtoClient *atproto.Client // Authenticated ATProto client for this user 35 35 - AuthMethod string // Auth method used ("oauth" or "app_password") 36 36 - 37 37 - // Shared services (same for all requests) 38 38 - Database DatabaseMetrics // Metrics tracking database 39 39 - Authorizer auth.HoldAuthorizer // Hold access authorization 40 40 - Refresher *oauth.Refresher // OAuth session manager 41 41 - ReadmeCache ReadmeCache // README content cache 42 42 - }

-146

pkg/appview/storage/context_test.go

··· 1 1 - package storage 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - "sync" 6 6 - "testing" 7 7 - 8 8 - "atcr.io/pkg/atproto" 9 9 - ) 10 10 - 11 11 - // Mock implementations for testing 12 12 - type mockDatabaseMetrics struct { 13 13 - mu sync.Mutex 14 14 - pullCount int 15 15 - pushCount int 16 16 - } 17 17 - 18 18 - func (m *mockDatabaseMetrics) IncrementPullCount(did, repository string) error { 19 19 - m.mu.Lock() 20 20 - defer m.mu.Unlock() 21 21 - m.pullCount++ 22 22 - return nil 23 23 - } 24 24 - 25 25 - func (m *mockDatabaseMetrics) IncrementPushCount(did, repository string) error { 26 26 - m.mu.Lock() 27 27 - defer m.mu.Unlock() 28 28 - m.pushCount++ 29 29 - return nil 30 30 - } 31 31 - 32 32 - func (m *mockDatabaseMetrics) GetLatestHoldDIDForRepo(did, repository string) (string, error) { 33 33 - // Return empty string for mock - tests can override if needed 34 34 - return "", nil 35 35 - } 36 36 - 37 37 - func (m *mockDatabaseMetrics) getPullCount() int { 38 38 - m.mu.Lock() 39 39 - defer m.mu.Unlock() 40 40 - return m.pullCount 41 41 - } 42 42 - 43 43 - func (m *mockDatabaseMetrics) getPushCount() int { 44 44 - m.mu.Lock() 45 45 - defer m.mu.Unlock() 46 46 - return m.pushCount 47 47 - } 48 48 - 49 49 - type mockReadmeCache struct{} 50 50 - 51 51 - func (m *mockReadmeCache) Get(ctx context.Context, url string) (string, error) { 52 52 - return "# Test README", nil 53 53 - } 54 54 - 55 55 - func (m *mockReadmeCache) Invalidate(url string) error { 56 56 - return nil 57 57 - } 58 58 - 59 59 - type mockHoldAuthorizer struct{} 60 60 - 61 61 - func (m *mockHoldAuthorizer) Authorize(holdDID, userDID, permission string) (bool, error) { 62 62 - return true, nil 63 63 - } 64 64 - 65 65 - func TestRegistryContext_Fields(t *testing.T) { 66 66 - // Create a sample RegistryContext 67 67 - ctx := &RegistryContext{ 68 68 - DID: "did:plc:test123", 69 69 - Handle: "alice.bsky.social", 70 70 - HoldDID: "did:web:hold01.atcr.io", 71 71 - PDSEndpoint: "https://bsky.social", 72 72 - Repository: "debian", 73 73 - ServiceToken: "test-token", 74 74 - ATProtoClient: &atproto.Client{ 75 75 - // Mock client - would need proper initialization in real tests 76 76 - }, 77 77 - Database: &mockDatabaseMetrics{}, 78 78 - ReadmeCache: &mockReadmeCache{}, 79 79 - } 80 80 - 81 81 - // Verify fields are accessible 82 82 - if ctx.DID != "did:plc:test123" { 83 83 - t.Errorf("Expected DID %q, got %q", "did:plc:test123", ctx.DID) 84 84 - } 85 85 - if ctx.Handle != "alice.bsky.social" { 86 86 - t.Errorf("Expected Handle %q, got %q", "alice.bsky.social", ctx.Handle) 87 87 - } 88 88 - if ctx.HoldDID != "did:web:hold01.atcr.io" { 89 89 - t.Errorf("Expected HoldDID %q, got %q", "did:web:hold01.atcr.io", ctx.HoldDID) 90 90 - } 91 91 - if ctx.PDSEndpoint != "https://bsky.social" { 92 92 - t.Errorf("Expected PDSEndpoint %q, got %q", "https://bsky.social", ctx.PDSEndpoint) 93 93 - } 94 94 - if ctx.Repository != "debian" { 95 95 - t.Errorf("Expected Repository %q, got %q", "debian", ctx.Repository) 96 96 - } 97 97 - if ctx.ServiceToken != "test-token" { 98 98 - t.Errorf("Expected ServiceToken %q, got %q", "test-token", ctx.ServiceToken) 99 99 - } 100 100 - } 101 101 - 102 102 - func TestRegistryContext_DatabaseInterface(t *testing.T) { 103 103 - db := &mockDatabaseMetrics{} 104 104 - ctx := &RegistryContext{ 105 105 - Database: db, 106 106 - } 107 107 - 108 108 - // Test that interface methods are callable 109 109 - err := ctx.Database.IncrementPullCount("did:plc:test", "repo") 110 110 - if err != nil { 111 111 - t.Errorf("Unexpected error: %v", err) 112 112 - } 113 113 - 114 114 - err = ctx.Database.IncrementPushCount("did:plc:test", "repo") 115 115 - if err != nil { 116 116 - t.Errorf("Unexpected error: %v", err) 117 117 - } 118 118 - } 119 119 - 120 120 - func TestRegistryContext_ReadmeCacheInterface(t *testing.T) { 121 121 - cache := &mockReadmeCache{} 122 122 - ctx := &RegistryContext{ 123 123 - ReadmeCache: cache, 124 124 - } 125 125 - 126 126 - // Test that interface methods are callable 127 127 - content, err := ctx.ReadmeCache.Get(context.Background(), "https://example.com/README.md") 128 128 - if err != nil { 129 129 - t.Errorf("Unexpected error: %v", err) 130 130 - } 131 131 - if content != "# Test README" { 132 132 - t.Errorf("Expected content %q, got %q", "# Test README", content) 133 133 - } 134 134 - 135 135 - err = ctx.ReadmeCache.Invalidate("https://example.com/README.md") 136 136 - if err != nil { 137 137 - t.Errorf("Unexpected error: %v", err) 138 138 - } 139 139 - } 140 140 - 141 141 - // TODO: Add more comprehensive tests: 142 142 - // - Test ATProtoClient integration 143 143 - // - Test OAuth Refresher integration 144 144 - // - Test HoldAuthorizer integration 145 145 - // - Test nil handling for optional fields 146 146 - // - Integration tests with real components

-93

pkg/appview/storage/crew.go

··· 1 1 - package storage 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - "fmt" 6 6 - "io" 7 7 - "log/slog" 8 8 - "net/http" 9 9 - "time" 10 10 - 11 11 - "atcr.io/pkg/atproto" 12 12 - "atcr.io/pkg/auth/oauth" 13 13 - "atcr.io/pkg/auth/token" 14 14 - ) 15 15 - 16 16 - // EnsureCrewMembership attempts to register the user as a crew member on their default hold. 17 17 - // The hold's requestCrew endpoint handles all authorization logic (checking allowAllCrew, existing membership, etc). 18 18 - // This is best-effort and does not fail on errors. 19 19 - func EnsureCrewMembership(ctx context.Context, client *atproto.Client, refresher *oauth.Refresher, defaultHoldDID string) { 20 20 - if defaultHoldDID == "" { 21 21 - return 22 22 - } 23 23 - 24 24 - // Normalize URL to DID if needed 25 25 - holdDID := atproto.ResolveHoldDIDFromURL(defaultHoldDID) 26 26 - if holdDID == "" { 27 27 - slog.Warn("failed to resolve hold DID", "defaultHold", defaultHoldDID) 28 28 - return 29 29 - } 30 30 - 31 31 - // Resolve hold DID to HTTP endpoint 32 32 - holdEndpoint := atproto.ResolveHoldURL(holdDID) 33 33 - 34 34 - // Get service token for the hold 35 35 - // Only works with OAuth (refresher required) - app passwords can't get service tokens 36 36 - if refresher == nil { 37 37 - slog.Debug("skipping crew registration - no OAuth refresher (app password flow)", "holdDID", holdDID) 38 38 - return 39 39 - } 40 40 - 41 41 - // Wrap the refresher to match OAuthSessionRefresher interface 42 42 - serviceToken, err := token.GetOrFetchServiceToken(ctx, refresher, client.DID(), holdDID, client.PDSEndpoint()) 43 43 - if err != nil { 44 44 - slog.Warn("failed to get service token", "holdDID", holdDID, "error", err) 45 45 - return 46 46 - } 47 47 - 48 48 - // Call requestCrew endpoint - it handles all the logic: 49 49 - // - Checks allowAllCrew flag 50 50 - // - Checks if already a crew member (returns success if so) 51 51 - // - Creates crew record if authorized 52 52 - if err := requestCrewMembership(ctx, holdEndpoint, serviceToken); err != nil { 53 53 - slog.Warn("failed to request crew membership", "holdDID", holdDID, "error", err) 54 54 - return 55 55 - } 56 56 - 57 57 - slog.Info("successfully registered as crew member", "holdDID", holdDID, "userDID", client.DID()) 58 58 - } 59 59 - 60 60 - // requestCrewMembership calls the hold's requestCrew endpoint 61 61 - // The endpoint handles all authorization and duplicate checking internally 62 62 - func requestCrewMembership(ctx context.Context, holdEndpoint, serviceToken string) error { 63 63 - // Add 5 second timeout to prevent hanging on offline holds 64 64 - ctx, cancel := context.WithTimeout(ctx, 5*time.Second) 65 65 - defer cancel() 66 66 - 67 67 - url := fmt.Sprintf("%s%s", holdEndpoint, atproto.HoldRequestCrew) 68 68 - 69 69 - req, err := http.NewRequestWithContext(ctx, "POST", url, nil) 70 70 - if err != nil { 71 71 - return err 72 72 - } 73 73 - 74 74 - req.Header.Set("Authorization", "Bearer "+serviceToken) 75 75 - req.Header.Set("Content-Type", "application/json") 76 76 - 77 77 - resp, err := http.DefaultClient.Do(req) 78 78 - if err != nil { 79 79 - return err 80 80 - } 81 81 - defer resp.Body.Close() 82 82 - 83 83 - if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated { 84 84 - // Read response body to capture actual error message from hold 85 85 - body, readErr := io.ReadAll(resp.Body) 86 86 - if readErr != nil { 87 87 - return fmt.Errorf("requestCrew failed with status %d (failed to read error body: %w)", resp.StatusCode, readErr) 88 88 - } 89 89 - return fmt.Errorf("requestCrew failed with status %d: %s", resp.StatusCode, string(body)) 90 90 - } 91 91 - 92 92 - return nil 93 93 - }

-14

pkg/appview/storage/crew_test.go

··· 1 1 - package storage 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - "testing" 6 6 - ) 7 7 - 8 8 - func TestEnsureCrewMembership_EmptyHoldDID(t *testing.T) { 9 9 - // Test that empty hold DID returns early without error (best-effort function) 10 10 - EnsureCrewMembership(context.Background(), nil, nil, "") 11 11 - // If we get here without panic, test passes 12 12 - } 13 13 - 14 14 - // TODO: Add comprehensive tests with HTTP client mocking

+314 -86

pkg/appview/storage/manifest_store.go

··· 3 3 import ( 4 4 "bytes" 5 5 "context" 6 6 + "database/sql" 6 7 "encoding/json" 7 8 "errors" 8 9 "fmt" ··· 10 11 "log/slog" 11 12 "net/http" 12 13 "strings" 13 13 - "sync" 14 14 + "time" 14 15 16 16 + "atcr.io/pkg/appview/db" 17 17 + "atcr.io/pkg/appview/readme" 15 18 "atcr.io/pkg/atproto" 19 19 + "atcr.io/pkg/auth" 16 20 "github.com/distribution/distribution/v3" 17 21 "github.com/opencontainers/go-digest" 18 22 ) ··· 20 24 // ManifestStore implements distribution.ManifestService 21 25 // It stores manifests in ATProto as records 22 26 type ManifestStore struct { 23 23 - ctx *RegistryContext // Context with user/hold info 24 24 - mu sync.RWMutex // Protects lastFetchedHoldDID 25 25 - lastFetchedHoldDID string // Hold DID from most recently fetched manifest (for pull) 27 27 + ctx *auth.UserContext // User context with identity, target, permissions 26 28 blobStore distribution.BlobStore // Blob store for fetching config during push 29 29 + sqlDB *sql.DB // Database for pull/push counts 27 30 } 28 31 29 32 // NewManifestStore creates a new ATProto-backed manifest store 30 30 - func NewManifestStore(ctx *RegistryContext, blobStore distribution.BlobStore) *ManifestStore { 33 33 + func NewManifestStore(userCtx *auth.UserContext, blobStore distribution.BlobStore, sqlDB *sql.DB) *ManifestStore { 31 34 return &ManifestStore{ 32 32 - ctx: ctx, 35 35 + ctx: userCtx, 33 36 blobStore: blobStore, 37 37 + sqlDB: sqlDB, 34 38 } 35 39 } 36 40 37 41 // Exists checks if a manifest exists by digest 38 42 func (s *ManifestStore) Exists(ctx context.Context, dgst digest.Digest) (bool, error) { 39 43 rkey := digestToRKey(dgst) 40 40 - _, err := s.ctx.ATProtoClient.GetRecord(ctx, atproto.ManifestCollection, rkey) 44 44 + _, err := s.ctx.GetATProtoClient().GetRecord(ctx, atproto.ManifestCollection, rkey) 41 45 if err != nil { 42 46 // If not found, return false without error 43 47 if errors.Is(err, atproto.ErrRecordNotFound) { ··· 51 55 // Get retrieves a manifest by digest 52 56 func (s *ManifestStore) Get(ctx context.Context, dgst digest.Digest, options ...distribution.ManifestServiceOption) (distribution.Manifest, error) { 53 57 rkey := digestToRKey(dgst) 54 54 - record, err := s.ctx.ATProtoClient.GetRecord(ctx, atproto.ManifestCollection, rkey) 58 58 + record, err := s.ctx.GetATProtoClient().GetRecord(ctx, atproto.ManifestCollection, rkey) 55 59 if err != nil { 56 60 return nil, distribution.ErrManifestUnknownRevision{ 57 57 - Name: s.ctx.Repository, 61 61 + Name: s.ctx.TargetRepo, 58 62 Revision: dgst, 59 63 } 60 64 } 61 65 62 62 - var manifestRecord atproto.Manifest 66 66 + var manifestRecord atproto.ManifestRecord 63 67 if err := json.Unmarshal(record.Value, &manifestRecord); err != nil { 64 68 return nil, fmt.Errorf("failed to unmarshal manifest record: %w", err) 65 69 } 66 70 67 67 - // Store the hold DID for subsequent blob requests during pull 68 68 - // Prefer HoldDid (new format) with fallback to HoldEndpoint (legacy URL format) 69 69 - // The routing repository will cache this for concurrent blob fetches 70 70 - s.mu.Lock() 71 71 - if manifestRecord.HoldDid != nil && *manifestRecord.HoldDid != "" { 72 72 - // New format: DID reference (preferred) 73 73 - s.lastFetchedHoldDID = *manifestRecord.HoldDid 74 74 - } else if manifestRecord.HoldEndpoint != nil && *manifestRecord.HoldEndpoint != "" { 75 75 - // Legacy format: URL reference - convert to DID 76 76 - s.lastFetchedHoldDID = atproto.ResolveHoldDIDFromURL(*manifestRecord.HoldEndpoint) 77 77 - } 78 78 - s.mu.Unlock() 79 79 - 80 71 var ociManifest []byte 81 72 82 73 // New records: Download blob from ATProto blob storage 83 83 - if manifestRecord.ManifestBlob != nil && manifestRecord.ManifestBlob.Ref.Defined() { 84 84 - ociManifest, err = s.ctx.ATProtoClient.GetBlob(ctx, manifestRecord.ManifestBlob.Ref.String()) 74 74 + if manifestRecord.ManifestBlob != nil && manifestRecord.ManifestBlob.Ref.Link != "" { 75 75 + ociManifest, err = s.ctx.GetATProtoClient().GetBlob(ctx, manifestRecord.ManifestBlob.Ref.Link) 85 76 if err != nil { 86 77 return nil, fmt.Errorf("failed to download manifest blob: %w", err) 87 78 } ··· 89 80 90 81 // Track pull count (increment asynchronously to avoid blocking the response) 91 82 // Only count GET requests (actual downloads), not HEAD requests (existence checks) 92 92 - if s.ctx.Database != nil { 83 83 + if s.sqlDB != nil { 93 84 // Check HTTP method from context (distribution library stores it as "http.request.method") 94 85 if method, ok := ctx.Value("http.request.method").(string); ok && method == "GET" { 95 86 go func() { 96 96 - if err := s.ctx.Database.IncrementPullCount(s.ctx.DID, s.ctx.Repository); err != nil { 97 97 - slog.Warn("Failed to increment pull count", "did", s.ctx.DID, "repository", s.ctx.Repository, "error", err) 87 87 + if err := db.IncrementPullCount(s.sqlDB, s.ctx.TargetOwnerDID, s.ctx.TargetRepo); err != nil { 88 88 + slog.Warn("Failed to increment pull count", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "error", err) 98 89 } 99 90 }() 100 91 } ··· 121 112 dgst := digest.FromBytes(payload) 122 113 123 114 // Upload manifest as blob to PDS 124 124 - blobRef, err := s.ctx.ATProtoClient.UploadBlob(ctx, payload, mediaType) 115 115 + blobRef, err := s.ctx.GetATProtoClient().UploadBlob(ctx, payload, mediaType) 125 116 if err != nil { 126 117 return "", fmt.Errorf("failed to upload manifest blob: %w", err) 127 118 } 128 119 129 120 // Create manifest record with structured metadata 130 130 - manifestRecord, err := atproto.NewManifestRecord(s.ctx.Repository, dgst.String(), payload) 121 121 + manifestRecord, err := atproto.NewManifestRecord(s.ctx.TargetRepo, dgst.String(), payload) 131 122 if err != nil { 132 123 return "", fmt.Errorf("failed to create manifest record: %w", err) 133 124 } 134 125 135 126 // Set the blob reference, hold DID, and hold endpoint 136 127 manifestRecord.ManifestBlob = blobRef 137 137 - if s.ctx.HoldDID != "" { 138 138 - manifestRecord.HoldDid = &s.ctx.HoldDID // Primary reference (DID) 139 139 - } 128 128 + manifestRecord.HoldDID = s.ctx.TargetHoldDID // Primary reference (DID) 140 129 141 130 // Extract Dockerfile labels from config blob and add to annotations 142 131 // Only for image manifests (not manifest lists which don't have config blobs) ··· 163 152 if !exists { 164 153 platform := "unknown" 165 154 if ref.Platform != nil { 166 166 - platform = fmt.Sprintf("%s/%s", ref.Platform.Os, ref.Platform.Architecture) 155 155 + platform = fmt.Sprintf("%s/%s", ref.Platform.OS, ref.Platform.Architecture) 167 156 } 168 157 slog.Warn("Manifest list references non-existent child manifest", 169 169 - "repository", s.ctx.Repository, 158 158 + "repository", s.ctx.TargetRepo, 170 159 "missingDigest", ref.Digest, 171 160 "platform", platform) 172 161 return "", distribution.ErrManifestBlobUnknown{Digest: refDigest} ··· 174 163 } 175 164 } 176 165 177 177 - // Note: Label extraction from config blob is currently disabled because the generated 178 178 - // Manifest_Annotations type doesn't support arbitrary keys. The lexicon schema would 179 179 - // need to use "unknown" type for annotations to support dynamic key-value pairs. 180 180 - // TODO: Update lexicon schema if label extraction is needed. 181 181 - _ = isManifestList // silence unused variable warning for now 166 166 + if !isManifestList && s.blobStore != nil && manifestRecord.Config != nil && manifestRecord.Config.Digest != "" { 167 167 + labels, err := s.extractConfigLabels(ctx, manifestRecord.Config.Digest) 168 168 + if err != nil { 169 169 + // Log error but don't fail the push - labels are optional 170 170 + slog.Warn("Failed to extract config labels", "error", err) 171 171 + } else if len(labels) > 0 { 172 172 + // Initialize annotations map if needed 173 173 + if manifestRecord.Annotations == nil { 174 174 + manifestRecord.Annotations = make(map[string]string) 175 175 + } 176 176 + 177 177 + // Copy labels to annotations as fallback 178 178 + // Only set label values for keys NOT already in manifest annotations 179 179 + // This ensures explicit annotations take precedence over Dockerfile LABELs 180 180 + // (which may be inherited from base images) 181 181 + for key, value := range labels { 182 182 + if _, exists := manifestRecord.Annotations[key]; !exists { 183 183 + manifestRecord.Annotations[key] = value 184 184 + } 185 185 + } 186 186 + 187 187 + slog.Debug("Merged labels from config blob", "labelsCount", len(labels), "annotationsCount", len(manifestRecord.Annotations)) 188 188 + } 189 189 + } 182 190 183 191 // Store manifest record in ATProto 184 192 rkey := digestToRKey(dgst) 185 185 - _, err = s.ctx.ATProtoClient.PutRecord(ctx, atproto.ManifestCollection, rkey, manifestRecord) 193 193 + _, err = s.ctx.GetATProtoClient().PutRecord(ctx, atproto.ManifestCollection, rkey, manifestRecord) 186 194 if err != nil { 187 195 return "", fmt.Errorf("failed to store manifest record in ATProto: %w", err) 188 196 } 189 197 190 198 // Track push count (increment asynchronously to avoid blocking the response) 191 191 - if s.ctx.Database != nil { 199 199 + if s.sqlDB != nil { 192 200 go func() { 193 193 - if err := s.ctx.Database.IncrementPushCount(s.ctx.DID, s.ctx.Repository); err != nil { 194 194 - slog.Warn("Failed to increment push count", "did", s.ctx.DID, "repository", s.ctx.Repository, "error", err) 201 201 + if err := db.IncrementPushCount(s.sqlDB, s.ctx.TargetOwnerDID, s.ctx.TargetRepo); err != nil { 202 202 + slog.Warn("Failed to increment push count", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "error", err) 195 203 } 196 204 }() 197 205 } ··· 201 209 for _, option := range options { 202 210 if tagOpt, ok := option.(distribution.WithTagOption); ok { 203 211 tag = tagOpt.Tag 204 204 - tagRecord := atproto.NewTagRecord(s.ctx.ATProtoClient.DID(), s.ctx.Repository, tag, dgst.String()) 205 205 - tagRKey := atproto.RepositoryTagToRKey(s.ctx.Repository, tag) 206 206 - _, err = s.ctx.ATProtoClient.PutRecord(ctx, atproto.TagCollection, tagRKey, tagRecord) 212 212 + tagRecord := atproto.NewTagRecord(s.ctx.GetATProtoClient().DID(), s.ctx.TargetRepo, tag, dgst.String()) 213 213 + tagRKey := atproto.RepositoryTagToRKey(s.ctx.TargetRepo, tag) 214 214 + _, err = s.ctx.GetATProtoClient().PutRecord(ctx, atproto.TagCollection, tagRKey, tagRecord) 207 215 if err != nil { 208 216 return "", fmt.Errorf("failed to store tag in ATProto: %w", err) 209 217 } ··· 212 220 213 221 // Notify hold about manifest upload (for layer tracking and Bluesky posts) 214 222 // Do this asynchronously to avoid blocking the push 215 215 - if tag != "" && s.ctx.ServiceToken != "" && s.ctx.Handle != "" { 216 216 - go func() { 223 223 + // Get service token before goroutine (requires context) 224 224 + serviceToken, _ := s.ctx.GetServiceToken(ctx) 225 225 + if tag != "" && serviceToken != "" && s.ctx.TargetOwnerHandle != "" { 226 226 + go func(serviceToken string) { 217 227 defer func() { 218 228 if r := recover(); r != nil { 219 229 slog.Error("Panic in notifyHoldAboutManifest", "panic", r) 220 230 } 221 231 }() 222 222 - if err := s.notifyHoldAboutManifest(context.Background(), manifestRecord, tag, dgst.String()); err != nil { 232 232 + if err := s.notifyHoldAboutManifest(context.Background(), manifestRecord, tag, dgst.String(), serviceToken); err != nil { 223 233 slog.Warn("Failed to notify hold about manifest", "error", err) 224 234 } 225 225 - }() 235 235 + }(serviceToken) 226 236 } 227 237 228 228 - // Refresh README cache asynchronously if manifest has io.atcr.readme annotation 229 229 - // This ensures fresh README content is available on repository pages 238 238 + // Create or update repo page asynchronously if manifest has relevant annotations 239 239 + // This ensures repository metadata is synced to user's PDS 230 240 go func() { 231 241 defer func() { 232 242 if r := recover(); r != nil { 233 233 - slog.Error("Panic in refreshReadmeCache", "panic", r) 243 243 + slog.Error("Panic in ensureRepoPage", "panic", r) 234 244 } 235 245 }() 236 236 - s.refreshReadmeCache(context.Background(), manifestRecord) 246 246 + s.ensureRepoPage(context.Background(), manifestRecord) 237 247 }() 238 248 239 249 return dgst, nil ··· 242 252 // Delete removes a manifest 243 253 func (s *ManifestStore) Delete(ctx context.Context, dgst digest.Digest) error { 244 254 rkey := digestToRKey(dgst) 245 245 - return s.ctx.ATProtoClient.DeleteRecord(ctx, atproto.ManifestCollection, rkey) 255 255 + return s.ctx.GetATProtoClient().DeleteRecord(ctx, atproto.ManifestCollection, rkey) 246 256 } 247 257 248 258 // digestToRKey converts a digest to an ATProto record key ··· 252 262 return dgst.Encoded() 253 263 } 254 264 255 255 - // GetLastFetchedHoldDID returns the hold DID from the most recently fetched manifest 256 256 - // This is used by the routing repository to cache the hold for blob requests 257 257 - func (s *ManifestStore) GetLastFetchedHoldDID() string { 258 258 - s.mu.RLock() 259 259 - defer s.mu.RUnlock() 260 260 - return s.lastFetchedHoldDID 261 261 - } 262 262 - 263 265 // rawManifest is a simple implementation of distribution.Manifest 264 266 type rawManifest struct { 265 267 mediaType string ··· 305 307 306 308 // notifyHoldAboutManifest notifies the hold service about a manifest upload 307 309 // This enables the hold to create layer records and Bluesky posts 308 308 - func (s *ManifestStore) notifyHoldAboutManifest(ctx context.Context, manifestRecord *atproto.Manifest, tag, manifestDigest string) error { 309 309 - // Skip if no service token configured (e.g., anonymous pulls) 310 310 - if s.ctx.ServiceToken == "" { 310 310 + func (s *ManifestStore) notifyHoldAboutManifest(ctx context.Context, manifestRecord *atproto.ManifestRecord, tag, manifestDigest, serviceToken string) error { 311 311 + // Skip if no service token provided 312 312 + if serviceToken == "" { 311 313 return nil 312 314 } 313 315 314 316 // Resolve hold DID to HTTP endpoint 315 317 // For did:web, this is straightforward (e.g., did:web:hold01.atcr.io → https://hold01.atcr.io) 316 316 - holdEndpoint := atproto.ResolveHoldURL(s.ctx.HoldDID) 318 318 + holdEndpoint := atproto.ResolveHoldURL(s.ctx.TargetHoldDID) 317 319 318 318 - // Use service token from middleware (already cached and validated) 319 319 - serviceToken := s.ctx.ServiceToken 320 320 + // Service token is passed in (already cached and validated) 320 321 321 322 // Build notification request 322 323 manifestData := map[string]any{ ··· 355 356 } 356 357 if m.Platform != nil { 357 358 mData["platform"] = map[string]any{ 358 358 - "os": m.Platform.Os, 359 359 + "os": m.Platform.OS, 359 360 "architecture": m.Platform.Architecture, 360 361 } 361 362 } ··· 365 366 } 366 367 367 368 notifyReq := map[string]any{ 368 368 - "repository": s.ctx.Repository, 369 369 + "repository": s.ctx.TargetRepo, 369 370 "tag": tag, 370 370 - "userDid": s.ctx.DID, 371 371 - "userHandle": s.ctx.Handle, 371 371 + "userDid": s.ctx.TargetOwnerDID, 372 372 + "userHandle": s.ctx.TargetOwnerHandle, 372 373 "manifest": manifestData, 373 374 } 374 375 ··· 406 407 // Parse response (optional logging) 407 408 var notifyResp map[string]any 408 409 if err := json.NewDecoder(resp.Body).Decode(&notifyResp); err == nil { 409 409 - slog.Info("Hold notification successful", "repository", s.ctx.Repository, "tag", tag, "response", notifyResp) 410 410 + slog.Info("Hold notification successful", "repository", s.ctx.TargetRepo, "tag", tag, "response", notifyResp) 410 411 } 411 412 412 413 return nil 413 414 } 414 415 415 415 - // refreshReadmeCache refreshes the README cache for this manifest if it has io.atcr.readme annotation 416 416 - // This should be called asynchronously after manifest push to keep README content fresh 417 417 - // NOTE: Currently disabled because the generated Manifest_Annotations type doesn't support 418 418 - // arbitrary key-value pairs. Would need to update lexicon schema with "unknown" type. 419 419 - func (s *ManifestStore) refreshReadmeCache(ctx context.Context, manifestRecord *atproto.Manifest) { 420 420 - // Skip if no README cache configured 421 421 - if s.ctx.ReadmeCache == nil { 416 416 + // ensureRepoPage creates or updates a repo page record in the user's PDS if needed 417 417 + // This syncs repository metadata from manifest annotations to the io.atcr.repo.page collection 418 418 + // Only creates a new record if one doesn't exist (doesn't overwrite user's custom content) 419 419 + func (s *ManifestStore) ensureRepoPage(ctx context.Context, manifestRecord *atproto.ManifestRecord) { 420 420 + // Check if repo page already exists (don't overwrite user's custom content) 421 421 + rkey := s.ctx.TargetRepo 422 422 + _, err := s.ctx.GetATProtoClient().GetRecord(ctx, atproto.RepoPageCollection, rkey) 423 423 + if err == nil { 424 424 + // Record already exists - don't overwrite 425 425 + slog.Debug("Repo page already exists, skipping creation", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo) 422 426 return 423 427 } 424 428 425 425 - // TODO: Re-enable once lexicon supports annotations as map[string]string 426 426 - // The generated Manifest_Annotations is an empty struct that doesn't support map access. 427 427 - // For now, README cache refresh on push is disabled. 428 428 - _ = manifestRecord // silence unused variable warning 429 429 + // Only continue if it's a "not found" error - other errors mean we should skip 430 430 + if !errors.Is(err, atproto.ErrRecordNotFound) { 431 431 + slog.Warn("Failed to check for existing repo page", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "error", err) 432 432 + return 433 433 + } 434 434 + 435 435 + // Get annotations (may be nil if image has no OCI labels) 436 436 + annotations := manifestRecord.Annotations 437 437 + if annotations == nil { 438 438 + annotations = make(map[string]string) 439 439 + } 440 440 + 441 441 + // Try to fetch README content from external sources 442 442 + // Priority: io.atcr.readme annotation > derived from org.opencontainers.image.source > org.opencontainers.image.description 443 443 + description := s.fetchReadmeContent(ctx, annotations) 444 444 + 445 445 + // If no README content could be fetched, fall back to description annotation 446 446 + if description == "" { 447 447 + description = annotations["org.opencontainers.image.description"] 448 448 + } 449 449 + 450 450 + // Try to fetch and upload icon from io.atcr.icon annotation 451 451 + var avatarRef *atproto.ATProtoBlobRef 452 452 + if iconURL := annotations["io.atcr.icon"]; iconURL != "" { 453 453 + avatarRef = s.fetchAndUploadIcon(ctx, iconURL) 454 454 + } 455 455 + 456 456 + // Create new repo page record with description and optional avatar 457 457 + repoPage := atproto.NewRepoPageRecord(s.ctx.TargetRepo, description, avatarRef) 458 458 + 459 459 + slog.Info("Creating repo page from manifest annotations", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "descriptionLength", len(description), "hasAvatar", avatarRef != nil) 460 460 + 461 461 + _, err = s.ctx.GetATProtoClient().PutRecord(ctx, atproto.RepoPageCollection, rkey, repoPage) 462 462 + if err != nil { 463 463 + slog.Warn("Failed to create repo page", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "error", err) 464 464 + return 465 465 + } 466 466 + 467 467 + slog.Info("Repo page created successfully", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo) 468 468 + } 469 469 + 470 470 + // fetchReadmeContent attempts to fetch README content from external sources 471 471 + // Priority: io.atcr.readme annotation > derived from org.opencontainers.image.source 472 472 + // Returns the raw markdown content, or empty string if not available 473 473 + func (s *ManifestStore) fetchReadmeContent(ctx context.Context, annotations map[string]string) string { 474 474 + 475 475 + // Create a context with timeout for README fetching (don't block push too long) 476 476 + fetchCtx, cancel := context.WithTimeout(ctx, 10*time.Second) 477 477 + defer cancel() 478 478 + 479 479 + // Priority 1: Direct README URL from io.atcr.readme annotation 480 480 + if readmeURL := annotations["io.atcr.readme"]; readmeURL != "" { 481 481 + content, err := s.fetchRawReadme(fetchCtx, readmeURL) 482 482 + if err != nil { 483 483 + slog.Debug("Failed to fetch README from io.atcr.readme annotation", "url", readmeURL, "error", err) 484 484 + } else if content != "" { 485 485 + slog.Info("Fetched README from io.atcr.readme annotation", "url", readmeURL, "length", len(content)) 486 486 + return content 487 487 + } 488 488 + } 489 489 + 490 490 + // Priority 2: Derive README URL from org.opencontainers.image.source 491 491 + if sourceURL := annotations["org.opencontainers.image.source"]; sourceURL != "" { 492 492 + // Try main branch first, then master 493 493 + for _, branch := range []string{"main", "master"} { 494 494 + readmeURL := readme.DeriveReadmeURL(sourceURL, branch) 495 495 + if readmeURL == "" { 496 496 + continue 497 497 + } 498 498 + 499 499 + content, err := s.fetchRawReadme(fetchCtx, readmeURL) 500 500 + if err != nil { 501 501 + // Only log non-404 errors (404 is expected when trying main vs master) 502 502 + if !readme.Is404(err) { 503 503 + slog.Debug("Failed to fetch README from source URL", "url", readmeURL, "branch", branch, "error", err) 504 504 + } 505 505 + continue 506 506 + } 507 507 + 508 508 + if content != "" { 509 509 + slog.Info("Fetched README from source URL", "sourceURL", sourceURL, "branch", branch, "length", len(content)) 510 510 + return content 511 511 + } 512 512 + } 513 513 + } 514 514 + 515 515 + return "" 516 516 + } 517 517 + 518 518 + // fetchRawReadme fetches raw markdown content from a URL 519 519 + // Returns the raw markdown (not rendered HTML) for storage in the repo page record 520 520 + func (s *ManifestStore) fetchRawReadme(ctx context.Context, readmeURL string) (string, error) { 521 521 + // Use a simple HTTP client to fetch raw content 522 522 + // We want raw markdown, not rendered HTML (the Fetcher renders to HTML) 523 523 + req, err := http.NewRequestWithContext(ctx, "GET", readmeURL, nil) 524 524 + if err != nil { 525 525 + return "", fmt.Errorf("failed to create request: %w", err) 526 526 + } 527 527 + 528 528 + req.Header.Set("User-Agent", "ATCR-README-Fetcher/1.0") 529 529 + 530 530 + client := &http.Client{ 531 531 + Timeout: 10 * time.Second, 532 532 + CheckRedirect: func(req *http.Request, via []*http.Request) error { 533 533 + if len(via) >= 5 { 534 534 + return fmt.Errorf("too many redirects") 535 535 + } 536 536 + return nil 537 537 + }, 538 538 + } 539 539 + 540 540 + resp, err := client.Do(req) 541 541 + if err != nil { 542 542 + return "", fmt.Errorf("failed to fetch URL: %w", err) 543 543 + } 544 544 + defer resp.Body.Close() 545 545 + 546 546 + if resp.StatusCode != http.StatusOK { 547 547 + return "", fmt.Errorf("unexpected status code: %d", resp.StatusCode) 548 548 + } 549 549 + 550 550 + // Limit content size to 100KB (repo page description has 100KB limit in lexicon) 551 551 + limitedReader := io.LimitReader(resp.Body, 100*1024) 552 552 + content, err := io.ReadAll(limitedReader) 553 553 + if err != nil { 554 554 + return "", fmt.Errorf("failed to read response body: %w", err) 555 555 + } 556 556 + 557 557 + return string(content), nil 558 558 + } 559 559 + 560 560 + // fetchAndUploadIcon fetches an image from a URL and uploads it as a blob to the user's PDS 561 561 + // Returns the blob reference for use in the repo page record, or nil on error 562 562 + func (s *ManifestStore) fetchAndUploadIcon(ctx context.Context, iconURL string) *atproto.ATProtoBlobRef { 563 563 + // Create a context with timeout for icon fetching 564 564 + fetchCtx, cancel := context.WithTimeout(ctx, 10*time.Second) 565 565 + defer cancel() 566 566 + 567 567 + // Fetch the icon 568 568 + req, err := http.NewRequestWithContext(fetchCtx, "GET", iconURL, nil) 569 569 + if err != nil { 570 570 + slog.Debug("Failed to create icon request", "url", iconURL, "error", err) 571 571 + return nil 572 572 + } 573 573 + 574 574 + req.Header.Set("User-Agent", "ATCR-Icon-Fetcher/1.0") 575 575 + 576 576 + client := &http.Client{ 577 577 + Timeout: 10 * time.Second, 578 578 + CheckRedirect: func(req *http.Request, via []*http.Request) error { 579 579 + if len(via) >= 5 { 580 580 + return fmt.Errorf("too many redirects") 581 581 + } 582 582 + return nil 583 583 + }, 584 584 + } 585 585 + 586 586 + resp, err := client.Do(req) 587 587 + if err != nil { 588 588 + slog.Debug("Failed to fetch icon", "url", iconURL, "error", err) 589 589 + return nil 590 590 + } 591 591 + defer resp.Body.Close() 592 592 + 593 593 + if resp.StatusCode != http.StatusOK { 594 594 + slog.Debug("Icon fetch returned non-OK status", "url", iconURL, "status", resp.StatusCode) 595 595 + return nil 596 596 + } 597 597 + 598 598 + // Validate content type - only allow images 599 599 + contentType := resp.Header.Get("Content-Type") 600 600 + mimeType := detectImageMimeType(contentType, iconURL) 601 601 + if mimeType == "" { 602 602 + slog.Debug("Icon has unsupported content type", "url", iconURL, "contentType", contentType) 603 603 + return nil 604 604 + } 605 605 + 606 606 + // Limit icon size to 3MB (matching lexicon maxSize) 607 607 + limitedReader := io.LimitReader(resp.Body, 3*1024*1024) 608 608 + iconData, err := io.ReadAll(limitedReader) 609 609 + if err != nil { 610 610 + slog.Debug("Failed to read icon data", "url", iconURL, "error", err) 611 611 + return nil 612 612 + } 613 613 + 614 614 + if len(iconData) == 0 { 615 615 + slog.Debug("Icon data is empty", "url", iconURL) 616 616 + return nil 617 617 + } 618 618 + 619 619 + // Upload the icon as a blob to the user's PDS 620 620 + blobRef, err := s.ctx.GetATProtoClient().UploadBlob(ctx, iconData, mimeType) 621 621 + if err != nil { 622 622 + slog.Warn("Failed to upload icon blob", "url", iconURL, "error", err) 623 623 + return nil 624 624 + } 625 625 + 626 626 + slog.Info("Uploaded icon blob", "url", iconURL, "size", len(iconData), "mimeType", mimeType, "cid", blobRef.Ref.Link) 627 627 + return blobRef 628 628 + } 629 629 + 630 630 + // detectImageMimeType determines the MIME type for an image 631 631 + // Uses Content-Type header first, then falls back to extension-based detection 632 632 + // Only allows types accepted by the lexicon: image/png, image/jpeg, image/webp 633 633 + func detectImageMimeType(contentType, url string) string { 634 634 + // Check Content-Type header first 635 635 + switch { 636 636 + case strings.HasPrefix(contentType, "image/png"): 637 637 + return "image/png" 638 638 + case strings.HasPrefix(contentType, "image/jpeg"): 639 639 + return "image/jpeg" 640 640 + case strings.HasPrefix(contentType, "image/webp"): 641 641 + return "image/webp" 642 642 + } 643 643 + 644 644 + // Fall back to URL extension detection 645 645 + lowerURL := strings.ToLower(url) 646 646 + switch { 647 647 + case strings.HasSuffix(lowerURL, ".png"): 648 648 + return "image/png" 649 649 + case strings.HasSuffix(lowerURL, ".jpg"), strings.HasSuffix(lowerURL, ".jpeg"): 650 650 + return "image/jpeg" 651 651 + case strings.HasSuffix(lowerURL, ".webp"): 652 652 + return "image/webp" 653 653 + } 654 654 + 655 655 + // Unknown or unsupported type - reject 656 656 + return "" 429 657 }

+136 -300

pkg/appview/storage/manifest_store_test.go

··· 8 8 "net/http" 9 9 "net/http/httptest" 10 10 "testing" 11 11 - "time" 12 11 13 12 "atcr.io/pkg/atproto" 13 13 + "atcr.io/pkg/auth" 14 14 "github.com/distribution/distribution/v3" 15 15 "github.com/opencontainers/go-digest" 16 16 ) 17 17 - 18 18 - // mockDatabaseMetrics removed - using the one from context_test.go 19 17 20 18 // mockBlobStore is a minimal mock of distribution.BlobStore for testing 21 19 type mockBlobStore struct { ··· 72 70 return nil, nil // Not needed for current tests 73 71 } 74 72 75 75 - // mockRegistryContext creates a mock RegistryContext for testing 76 76 - func mockRegistryContext(client *atproto.Client, repository, holdDID, did, handle string, database DatabaseMetrics) *RegistryContext { 77 77 - return &RegistryContext{ 78 78 - ATProtoClient: client, 79 79 - Repository: repository, 80 80 - HoldDID: holdDID, 81 81 - DID: did, 82 82 - Handle: handle, 83 83 - Database: database, 84 84 - } 73 73 + // mockUserContextForManifest creates a mock auth.UserContext for manifest store testing 74 74 + func mockUserContextForManifest(pdsEndpoint, repository, holdDID, ownerDID, ownerHandle string) *auth.UserContext { 75 75 + userCtx := auth.NewUserContext(ownerDID, "oauth", "PUT", nil) 76 76 + userCtx.SetTarget(ownerDID, ownerHandle, pdsEndpoint, repository, holdDID) 77 77 + return userCtx 85 78 } 86 79 87 80 // TestDigestToRKey tests digest to record key conversion ··· 115 108 116 109 // TestNewManifestStore tests creating a new manifest store 117 110 func TestNewManifestStore(t *testing.T) { 118 118 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 119 111 blobStore := newMockBlobStore() 120 120 - db := &mockDatabaseMetrics{} 112 112 + userCtx := mockUserContextForManifest( 113 113 + "https://pds.example.com", 114 114 + "myapp", 115 115 + "did:web:hold.example.com", 116 116 + "did:plc:alice123", 117 117 + "alice.test", 118 118 + ) 119 119 + store := NewManifestStore(userCtx, blobStore, nil) 121 120 122 122 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:alice123", "alice.test", db) 123 123 - store := NewManifestStore(ctx, blobStore) 124 124 - 125 125 - if store.ctx.Repository != "myapp" { 126 126 - t.Errorf("repository = %v, want myapp", store.ctx.Repository) 121 121 + if store.ctx.TargetRepo != "myapp" { 122 122 + t.Errorf("repository = %v, want myapp", store.ctx.TargetRepo) 127 123 } 128 128 - if store.ctx.HoldDID != "did:web:hold.example.com" { 129 129 - t.Errorf("holdDID = %v, want did:web:hold.example.com", store.ctx.HoldDID) 124 124 + if store.ctx.TargetHoldDID != "did:web:hold.example.com" { 125 125 + t.Errorf("holdDID = %v, want did:web:hold.example.com", store.ctx.TargetHoldDID) 130 126 } 131 131 - if store.ctx.DID != "did:plc:alice123" { 132 132 - t.Errorf("did = %v, want did:plc:alice123", store.ctx.DID) 127 127 + if store.ctx.TargetOwnerDID != "did:plc:alice123" { 128 128 + t.Errorf("did = %v, want did:plc:alice123", store.ctx.TargetOwnerDID) 133 129 } 134 134 - if store.ctx.Handle != "alice.test" { 135 135 - t.Errorf("handle = %v, want alice.test", store.ctx.Handle) 136 136 - } 137 137 - } 138 138 - 139 139 - // TestManifestStore_GetLastFetchedHoldDID tests tracking last fetched hold DID 140 140 - func TestManifestStore_GetLastFetchedHoldDID(t *testing.T) { 141 141 - tests := []struct { 142 142 - name string 143 143 - manifestHoldDID string 144 144 - manifestHoldURL string 145 145 - expectedLastFetched string 146 146 - }{ 147 147 - { 148 148 - name: "prefers HoldDID", 149 149 - manifestHoldDID: "did:web:hold01.atcr.io", 150 150 - manifestHoldURL: "https://hold01.atcr.io", 151 151 - expectedLastFetched: "did:web:hold01.atcr.io", 152 152 - }, 153 153 - { 154 154 - name: "falls back to HoldEndpoint URL conversion", 155 155 - manifestHoldDID: "", 156 156 - manifestHoldURL: "https://hold02.atcr.io", 157 157 - expectedLastFetched: "did:web:hold02.atcr.io", 158 158 - }, 159 159 - { 160 160 - name: "empty hold references", 161 161 - manifestHoldDID: "", 162 162 - manifestHoldURL: "", 163 163 - expectedLastFetched: "", 164 164 - }, 165 165 - } 166 166 - 167 167 - for _, tt := range tests { 168 168 - t.Run(tt.name, func(t *testing.T) { 169 169 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 170 170 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 171 171 - store := NewManifestStore(ctx, nil) 172 172 - 173 173 - // Simulate what happens in Get() when parsing a manifest record 174 174 - var manifestRecord atproto.Manifest 175 175 - if tt.manifestHoldDID != "" { 176 176 - manifestRecord.HoldDid = &tt.manifestHoldDID 177 177 - } 178 178 - if tt.manifestHoldURL != "" { 179 179 - manifestRecord.HoldEndpoint = &tt.manifestHoldURL 180 180 - } 181 181 - 182 182 - // Mimic the hold DID extraction logic from Get() 183 183 - if manifestRecord.HoldDid != nil && *manifestRecord.HoldDid != "" { 184 184 - store.lastFetchedHoldDID = *manifestRecord.HoldDid 185 185 - } else if manifestRecord.HoldEndpoint != nil && *manifestRecord.HoldEndpoint != "" { 186 186 - store.lastFetchedHoldDID = atproto.ResolveHoldDIDFromURL(*manifestRecord.HoldEndpoint) 187 187 - } 188 188 - 189 189 - got := store.GetLastFetchedHoldDID() 190 190 - if got != tt.expectedLastFetched { 191 191 - t.Errorf("GetLastFetchedHoldDID() = %v, want %v", got, tt.expectedLastFetched) 192 192 - } 193 193 - }) 130 130 + if store.ctx.TargetOwnerHandle != "alice.test" { 131 131 + t.Errorf("handle = %v, want alice.test", store.ctx.TargetOwnerHandle) 194 132 } 195 133 } 196 134 ··· 245 183 blobStore.blobs[configDigest] = configData 246 184 247 185 // Create manifest store 248 248 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 249 249 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 250 250 - store := NewManifestStore(ctx, blobStore) 186 186 + userCtx := mockUserContextForManifest( 187 187 + "https://pds.example.com", 188 188 + "myapp", 189 189 + "", 190 190 + "did:plc:test123", 191 191 + "test.handle", 192 192 + ) 193 193 + store := NewManifestStore(userCtx, blobStore, nil) 251 194 252 195 // Extract labels 253 196 labels, err := store.extractConfigLabels(context.Background(), configDigest.String()) ··· 285 228 configDigest := digest.FromBytes(configData) 286 229 blobStore.blobs[configDigest] = configData 287 230 288 288 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 289 289 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 290 290 - store := NewManifestStore(ctx, blobStore) 231 231 + userCtx := mockUserContextForManifest( 232 232 + "https://pds.example.com", 233 233 + "myapp", 234 234 + "", 235 235 + "did:plc:test123", 236 236 + "test.handle", 237 237 + ) 238 238 + store := NewManifestStore(userCtx, blobStore, nil) 291 239 292 240 labels, err := store.extractConfigLabels(context.Background(), configDigest.String()) 293 241 if err != nil { ··· 303 251 // TestExtractConfigLabels_InvalidDigest tests error handling for invalid digest 304 252 func TestExtractConfigLabels_InvalidDigest(t *testing.T) { 305 253 blobStore := newMockBlobStore() 306 306 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 307 307 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 308 308 - store := NewManifestStore(ctx, blobStore) 254 254 + userCtx := mockUserContextForManifest( 255 255 + "https://pds.example.com", 256 256 + "myapp", 257 257 + "", 258 258 + "did:plc:test123", 259 259 + "test.handle", 260 260 + ) 261 261 + store := NewManifestStore(userCtx, blobStore, nil) 309 262 310 263 _, err := store.extractConfigLabels(context.Background(), "invalid-digest") 311 264 if err == nil { ··· 322 275 configDigest := digest.FromBytes(configData) 323 276 blobStore.blobs[configDigest] = configData 324 277 325 325 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 326 326 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 327 327 - store := NewManifestStore(ctx, blobStore) 278 278 + userCtx := mockUserContextForManifest( 279 279 + "https://pds.example.com", 280 280 + "myapp", 281 281 + "", 282 282 + "did:plc:test123", 283 283 + "test.handle", 284 284 + ) 285 285 + store := NewManifestStore(userCtx, blobStore, nil) 328 286 329 287 _, err := store.extractConfigLabels(context.Background(), configDigest.String()) 330 288 if err == nil { ··· 332 290 } 333 291 } 334 292 335 335 - // TestManifestStore_WithMetrics tests that metrics are tracked 336 336 - func TestManifestStore_WithMetrics(t *testing.T) { 337 337 - db := &mockDatabaseMetrics{} 338 338 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 339 339 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:alice123", "alice.test", db) 340 340 - store := NewManifestStore(ctx, nil) 293 293 + // TestManifestStore_WithoutDatabase tests that nil database is acceptable 294 294 + func TestManifestStore_WithoutDatabase(t *testing.T) { 295 295 + userCtx := mockUserContextForManifest( 296 296 + "https://pds.example.com", 297 297 + "myapp", 298 298 + "did:web:hold.example.com", 299 299 + "did:plc:alice123", 300 300 + "alice.test", 301 301 + ) 302 302 + store := NewManifestStore(userCtx, nil, nil) 341 303 342 342 - if store.ctx.Database != db { 343 343 - t.Error("ManifestStore should store database reference") 344 344 - } 345 345 - 346 346 - // Note: Actual metrics tracking happens in Put() and Get() which require 347 347 - // full mock setup. The important thing is that the database is wired up. 348 348 - } 349 349 - 350 350 - // TestManifestStore_WithoutMetrics tests that nil database is acceptable 351 351 - func TestManifestStore_WithoutMetrics(t *testing.T) { 352 352 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 353 353 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:alice123", "alice.test", nil) 354 354 - store := NewManifestStore(ctx, nil) 355 355 - 356 356 - if store.ctx.Database != nil { 304 304 + if store.sqlDB != nil { 357 305 t.Error("ManifestStore should accept nil database") 358 306 } 359 307 } ··· 372 320 name: "manifest exists", 373 321 digest: "sha256:abc123", 374 322 serverStatus: http.StatusOK, 375 375 - serverResp: `{"uri":"at://did:plc:test123/io.atcr.manifest/abc123","cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku","value":{}}`, 323 323 + serverResp: `{"uri":"at://did:plc:test123/io.atcr.manifest/abc123","cid":"bafytest","value":{}}`, 376 324 wantExists: true, 377 325 wantErr: false, 378 326 }, ··· 403 351 })) 404 352 defer server.Close() 405 353 406 406 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 407 407 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", nil) 408 408 - store := NewManifestStore(ctx, nil) 354 354 + userCtx := mockUserContextForManifest( 355 355 + server.URL, 356 356 + "myapp", 357 357 + "did:web:hold.example.com", 358 358 + "did:plc:test123", 359 359 + "test.handle", 360 360 + ) 361 361 + store := NewManifestStore(userCtx, nil, nil) 409 362 410 363 exists, err := store.Exists(context.Background(), tt.digest) 411 364 if (err != nil) != tt.wantErr { ··· 437 390 digest: "sha256:abc123", 438 391 serverResp: `{ 439 392 "uri":"at://did:plc:test123/io.atcr.manifest/abc123", 440 440 - "cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku", 393 393 + "cid":"bafytest", 441 394 "value":{ 442 395 "$type":"io.atcr.manifest", 443 396 "repository":"myapp", ··· 447 400 "mediaType":"application/vnd.oci.image.manifest.v1+json", 448 401 "manifestBlob":{ 449 402 "$type":"blob", 450 450 - "ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"}, 403 403 + "ref":{"$link":"bafytest"}, 451 404 "mimeType":"application/vnd.oci.image.manifest.v1+json", 452 405 "size":100 453 406 } ··· 481 434 "holdEndpoint":"https://hold02.atcr.io", 482 435 "mediaType":"application/vnd.oci.image.manifest.v1+json", 483 436 "manifestBlob":{ 484 484 - "$type":"blob", 485 485 - "ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"}, 486 486 - "mimeType":"application/json", 437 437 + "ref":{"$link":"bafylegacy"}, 487 438 "size":100 488 439 } 489 440 } ··· 523 474 })) 524 475 defer server.Close() 525 476 526 526 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 527 527 - db := &mockDatabaseMetrics{} 528 528 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", db) 529 529 - store := NewManifestStore(ctx, nil) 477 477 + userCtx := mockUserContextForManifest( 478 478 + server.URL, 479 479 + "myapp", 480 480 + "did:web:hold.example.com", 481 481 + "did:plc:test123", 482 482 + "test.handle", 483 483 + ) 484 484 + store := NewManifestStore(userCtx, nil, nil) 530 485 531 486 manifest, err := store.Get(context.Background(), tt.digest) 532 487 if (err != nil) != tt.wantErr { ··· 547 502 } 548 503 } 549 504 550 550 - // TestManifestStore_Get_HoldDIDTracking tests that Get() stores the holdDID 551 551 - func TestManifestStore_Get_HoldDIDTracking(t *testing.T) { 552 552 - ociManifest := []byte(`{"schemaVersion":2}`) 553 553 - 554 554 - tests := []struct { 555 555 - name string 556 556 - manifestResp string 557 557 - expectedHoldDID string 558 558 - }{ 559 559 - { 560 560 - name: "tracks HoldDID from new format", 561 561 - manifestResp: `{ 562 562 - "uri":"at://did:plc:test123/io.atcr.manifest/abc123", 563 563 - "value":{ 564 564 - "$type":"io.atcr.manifest", 565 565 - "holdDid":"did:web:hold01.atcr.io", 566 566 - "holdEndpoint":"https://hold01.atcr.io", 567 567 - "mediaType":"application/vnd.oci.image.manifest.v1+json", 568 568 - "manifestBlob":{"$type":"blob","ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"},"mimeType":"application/json","size":100} 569 569 - } 570 570 - }`, 571 571 - expectedHoldDID: "did:web:hold01.atcr.io", 572 572 - }, 573 573 - { 574 574 - name: "tracks HoldDID from legacy HoldEndpoint", 575 575 - manifestResp: `{ 576 576 - "uri":"at://did:plc:test123/io.atcr.manifest/abc123", 577 577 - "value":{ 578 578 - "$type":"io.atcr.manifest", 579 579 - "holdEndpoint":"https://hold02.atcr.io", 580 580 - "mediaType":"application/vnd.oci.image.manifest.v1+json", 581 581 - "manifestBlob":{"$type":"blob","ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"},"mimeType":"application/json","size":100} 582 582 - } 583 583 - }`, 584 584 - expectedHoldDID: "did:web:hold02.atcr.io", 585 585 - }, 586 586 - } 587 587 - 588 588 - for _, tt := range tests { 589 589 - t.Run(tt.name, func(t *testing.T) { 590 590 - server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 591 591 - if r.URL.Path == atproto.SyncGetBlob { 592 592 - w.Write(ociManifest) 593 593 - return 594 594 - } 595 595 - w.Write([]byte(tt.manifestResp)) 596 596 - })) 597 597 - defer server.Close() 598 598 - 599 599 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 600 600 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 601 601 - store := NewManifestStore(ctx, nil) 602 602 - 603 603 - _, err := store.Get(context.Background(), "sha256:abc123") 604 604 - if err != nil { 605 605 - t.Fatalf("Get() error = %v", err) 606 606 - } 607 607 - 608 608 - gotHoldDID := store.GetLastFetchedHoldDID() 609 609 - if gotHoldDID != tt.expectedHoldDID { 610 610 - t.Errorf("GetLastFetchedHoldDID() = %v, want %v", gotHoldDID, tt.expectedHoldDID) 611 611 - } 612 612 - }) 613 613 - } 614 614 - } 615 615 - 616 616 - // TestManifestStore_Get_OnlyCountsGETRequests verifies that HEAD requests don't increment pull count 617 617 - func TestManifestStore_Get_OnlyCountsGETRequests(t *testing.T) { 618 618 - ociManifest := []byte(`{"schemaVersion":2}`) 619 619 - 620 620 - tests := []struct { 621 621 - name string 622 622 - httpMethod string 623 623 - expectPullIncrement bool 624 624 - }{ 625 625 - { 626 626 - name: "GET request increments pull count", 627 627 - httpMethod: "GET", 628 628 - expectPullIncrement: true, 629 629 - }, 630 630 - { 631 631 - name: "HEAD request does not increment pull count", 632 632 - httpMethod: "HEAD", 633 633 - expectPullIncrement: false, 634 634 - }, 635 635 - { 636 636 - name: "POST request does not increment pull count", 637 637 - httpMethod: "POST", 638 638 - expectPullIncrement: false, 639 639 - }, 640 640 - } 641 641 - 642 642 - for _, tt := range tests { 643 643 - t.Run(tt.name, func(t *testing.T) { 644 644 - server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 645 645 - if r.URL.Path == atproto.SyncGetBlob { 646 646 - w.Write(ociManifest) 647 647 - return 648 648 - } 649 649 - w.Write([]byte(`{ 650 650 - "uri": "at://did:plc:test123/io.atcr.manifest/abc123", 651 651 - "value": { 652 652 - "$type":"io.atcr.manifest", 653 653 - "holdDid":"did:web:hold01.atcr.io", 654 654 - "mediaType":"application/vnd.oci.image.manifest.v1+json", 655 655 - "manifestBlob":{"$type":"blob","ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"},"mimeType":"application/json","size":100} 656 656 - } 657 657 - }`)) 658 658 - })) 659 659 - defer server.Close() 660 660 - 661 661 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 662 662 - mockDB := &mockDatabaseMetrics{} 663 663 - ctx := mockRegistryContext(client, "myapp", "did:web:hold01.atcr.io", "did:plc:test123", "test.handle", mockDB) 664 664 - store := NewManifestStore(ctx, nil) 665 665 - 666 666 - // Create a context with the HTTP method stored (as distribution library does) 667 667 - testCtx := context.WithValue(context.Background(), "http.request.method", tt.httpMethod) 668 668 - 669 669 - _, err := store.Get(testCtx, "sha256:abc123") 670 670 - if err != nil { 671 671 - t.Fatalf("Get() error = %v", err) 672 672 - } 673 673 - 674 674 - // Wait for async goroutine to complete (metrics are incremented asynchronously) 675 675 - time.Sleep(50 * time.Millisecond) 676 676 - 677 677 - if tt.expectPullIncrement { 678 678 - // Check that IncrementPullCount was called 679 679 - if mockDB.getPullCount() == 0 { 680 680 - t.Error("Expected pull count to be incremented for GET request, but it wasn't") 681 681 - } 682 682 - } else { 683 683 - // Check that IncrementPullCount was NOT called 684 684 - if mockDB.getPullCount() > 0 { 685 685 - t.Errorf("Expected pull count NOT to be incremented for %s request, but it was (count=%d)", tt.httpMethod, mockDB.getPullCount()) 686 686 - } 687 687 - } 688 688 - }) 689 689 - } 690 690 - } 691 691 - 692 505 // TestManifestStore_Put tests storing manifests 693 506 func TestManifestStore_Put(t *testing.T) { 694 507 ociManifest := []byte(`{ ··· 760 573 // Handle uploadBlob 761 574 if r.URL.Path == atproto.RepoUploadBlob { 762 575 w.WriteHeader(http.StatusOK) 763 763 - w.Write([]byte(`{"blob":{"$type":"blob","ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"},"mimeType":"application/json","size":100}}`)) 576 576 + w.Write([]byte(`{"blob":{"$type":"blob","ref":{"$link":"bafytest"},"mimeType":"application/json","size":100}}`)) 764 577 return 765 578 } 766 579 ··· 769 582 json.NewDecoder(r.Body).Decode(&lastBody) 770 583 w.WriteHeader(tt.serverStatus) 771 584 if tt.serverStatus == http.StatusOK { 772 772 - w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/abc123","cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"}`)) 585 585 + w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/abc123","cid":"bafytest"}`)) 773 586 } else { 774 587 w.Write([]byte(`{"error":"ServerError"}`)) 775 588 } ··· 780 593 })) 781 594 defer server.Close() 782 595 783 783 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 784 784 - db := &mockDatabaseMetrics{} 785 785 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", db) 786 786 - store := NewManifestStore(ctx, nil) 596 596 + userCtx := mockUserContextForManifest( 597 597 + server.URL, 598 598 + "myapp", 599 599 + "did:web:hold.example.com", 600 600 + "did:plc:test123", 601 601 + "test.handle", 602 602 + ) 603 603 + store := NewManifestStore(userCtx, nil, nil) 787 604 788 605 dgst, err := store.Put(context.Background(), tt.manifest, tt.options...) 789 606 if (err != nil) != tt.wantErr { ··· 821 638 822 639 server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 823 640 if r.URL.Path == atproto.RepoUploadBlob { 824 824 - w.Write([]byte(`{"blob":{"$type":"blob","ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"},"size":100}}`)) 641 641 + w.Write([]byte(`{"blob":{"$type":"blob","ref":{"$link":"bafytest"},"size":100}}`)) 825 642 return 826 643 } 827 644 if r.URL.Path == atproto.RepoPutRecord { 828 828 - w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/config123","cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"}`)) 645 645 + w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/config123","cid":"bafytest"}`)) 829 646 return 830 647 } 831 648 w.WriteHeader(http.StatusOK) 832 649 })) 833 650 defer server.Close() 834 651 835 835 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 836 836 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", nil) 652 652 + userCtx := mockUserContextForManifest( 653 653 + server.URL, 654 654 + "myapp", 655 655 + "did:web:hold.example.com", 656 656 + "did:plc:test123", 657 657 + "test.handle", 658 658 + ) 837 659 838 660 // Use config digest in manifest 839 661 ociManifestWithConfig := []byte(`{ ··· 848 670 payload: ociManifestWithConfig, 849 671 } 850 672 851 851 - store := NewManifestStore(ctx, blobStore) 673 673 + store := NewManifestStore(userCtx, blobStore, nil) 852 674 853 675 _, err := store.Put(context.Background(), manifest) 854 676 if err != nil { ··· 876 698 name: "successful delete", 877 699 digest: "sha256:abc123", 878 700 serverStatus: http.StatusOK, 879 879 - serverResp: `{"commit":{"cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku","rev":"12345"}}`, 701 701 + serverResp: `{"commit":{"cid":"bafytest","rev":"12345"}}`, 880 702 wantErr: false, 881 703 }, 882 704 { ··· 908 730 })) 909 731 defer server.Close() 910 732 911 911 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 912 912 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", nil) 913 913 - store := NewManifestStore(ctx, nil) 733 733 + userCtx := mockUserContextForManifest( 734 734 + server.URL, 735 735 + "myapp", 736 736 + "did:web:hold.example.com", 737 737 + "did:plc:test123", 738 738 + "test.handle", 739 739 + ) 740 740 + store := NewManifestStore(userCtx, nil, nil) 914 741 915 742 err := store.Delete(context.Background(), tt.digest) 916 743 if (err != nil) != tt.wantErr { ··· 1033 860 // Handle uploadBlob 1034 861 if r.URL.Path == atproto.RepoUploadBlob { 1035 862 w.WriteHeader(http.StatusOK) 1036 1036 - w.Write([]byte(`{"blob":{"$type":"blob","ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"},"mimeType":"application/json","size":100}}`)) 863 863 + w.Write([]byte(`{"blob":{"$type":"blob","ref":{"$link":"bafytest"},"mimeType":"application/json","size":100}}`)) 1037 864 return 1038 865 } 1039 866 ··· 1045 872 // If child should exist, return it; otherwise return RecordNotFound 1046 873 if tt.childExists || rkey == childDigest.Encoded() { 1047 874 w.WriteHeader(http.StatusOK) 1048 1048 - w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/` + rkey + `","cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku","value":{}}`)) 875 875 + w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/` + rkey + `","cid":"bafytest","value":{}}`)) 1049 876 } else { 1050 877 w.WriteHeader(http.StatusBadRequest) 1051 878 w.Write([]byte(`{"error":"RecordNotFound","message":"Record not found"}`)) ··· 1056 883 // Handle putRecord 1057 884 if r.URL.Path == atproto.RepoPutRecord { 1058 885 w.WriteHeader(http.StatusOK) 1059 1059 - w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/test123","cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"}`)) 886 886 + w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/test123","cid":"bafytest"}`)) 1060 887 return 1061 888 } 1062 889 ··· 1064 891 })) 1065 892 defer server.Close() 1066 893 1067 1067 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 1068 1068 - db := &mockDatabaseMetrics{} 1069 1069 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", db) 1070 1070 - store := NewManifestStore(ctx, nil) 894 894 + userCtx := mockUserContextForManifest( 895 895 + server.URL, 896 896 + "myapp", 897 897 + "did:web:hold.example.com", 898 898 + "did:plc:test123", 899 899 + "test.handle", 900 900 + ) 901 901 + store := NewManifestStore(userCtx, nil, nil) 1071 902 1072 903 manifest := &rawManifest{ 1073 904 mediaType: "application/vnd.oci.image.index.v1+json", ··· 1117 948 1118 949 server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 1119 950 if r.URL.Path == atproto.RepoUploadBlob { 1120 1120 - w.Write([]byte(`{"blob":{"$type":"blob","ref":{"$link":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"},"size":100}}`)) 951 951 + w.Write([]byte(`{"blob":{"$type":"blob","ref":{"$link":"bafytest"},"size":100}}`)) 1121 952 return 1122 953 } 1123 954 1124 955 if r.URL.Path == atproto.RepoGetRecord { 1125 956 rkey := r.URL.Query().Get("rkey") 1126 957 if existingManifests[rkey] { 1127 1127 - w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/` + rkey + `","cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku","value":{}}`)) 958 958 + w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/` + rkey + `","cid":"bafytest","value":{}}`)) 1128 959 } else { 1129 960 w.WriteHeader(http.StatusBadRequest) 1130 961 w.Write([]byte(`{"error":"RecordNotFound"}`)) ··· 1133 964 } 1134 965 1135 966 if r.URL.Path == atproto.RepoPutRecord { 1136 1136 - w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/test123","cid":"bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"}`)) 967 967 + w.Write([]byte(`{"uri":"at://did:plc:test123/io.atcr.manifest/test123","cid":"bafytest"}`)) 1137 968 return 1138 969 } 1139 970 ··· 1141 972 })) 1142 973 defer server.Close() 1143 974 1144 1144 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 1145 1145 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", nil) 1146 1146 - store := NewManifestStore(ctx, nil) 975 975 + userCtx := mockUserContextForManifest( 976 976 + server.URL, 977 977 + "myapp", 978 978 + "did:web:hold.example.com", 979 979 + "did:plc:test123", 980 980 + "test.handle", 981 981 + ) 982 982 + store := NewManifestStore(userCtx, nil, nil) 1147 983 1148 984 // Create manifest list with both children 1149 985 manifestList := []byte(`{

+10 -12

pkg/appview/storage/profile.go

··· 54 54 // GetProfile retrieves the user's profile from their PDS 55 55 // Returns nil if profile doesn't exist 56 56 // Automatically migrates old URL-based defaultHold values to DIDs 57 57 - func GetProfile(ctx context.Context, client *atproto.Client) (*atproto.SailorProfile, error) { 57 57 + func GetProfile(ctx context.Context, client *atproto.Client) (*atproto.SailorProfileRecord, error) { 58 58 record, err := client.GetRecord(ctx, atproto.SailorProfileCollection, ProfileRKey) 59 59 if err != nil { 60 60 // Check if it's a 404 (profile doesn't exist) ··· 65 65 } 66 66 67 67 // Parse the profile record 68 68 - var profile atproto.SailorProfile 68 68 + var profile atproto.SailorProfileRecord 69 69 if err := json.Unmarshal(record.Value, &profile); err != nil { 70 70 return nil, fmt.Errorf("failed to parse profile: %w", err) 71 71 } 72 72 73 73 // Migrate old URL-based defaultHold to DID format 74 74 // This ensures backward compatibility with profiles created before DID migration 75 75 - if profile.DefaultHold != nil && *profile.DefaultHold != "" && !atproto.IsDID(*profile.DefaultHold) { 75 75 + if profile.DefaultHold != "" && !atproto.IsDID(profile.DefaultHold) { 76 76 // Convert URL to DID transparently 77 77 - migratedDID := atproto.ResolveHoldDIDFromURL(*profile.DefaultHold) 78 78 - profile.DefaultHold = &migratedDID 77 77 + migratedDID := atproto.ResolveHoldDIDFromURL(profile.DefaultHold) 78 78 + profile.DefaultHold = migratedDID 79 79 80 80 // Persist the migration to PDS in a background goroutine 81 81 // Use a lock to ensure only one goroutine migrates this DID ··· 94 94 defer cancel() 95 95 96 96 // Update the profile on the PDS 97 97 - now := time.Now().Format(time.RFC3339) 98 98 - profile.UpdatedAt = &now 97 97 + profile.UpdatedAt = time.Now() 99 98 if err := UpdateProfile(ctx, client, &profile); err != nil { 100 99 slog.Warn("Failed to persist URL-to-DID migration", "component", "profile", "did", did, "error", err) 101 100 } else { ··· 110 109 111 110 // UpdateProfile updates the user's profile 112 111 // Normalizes defaultHold to DID format before saving 113 113 - func UpdateProfile(ctx context.Context, client *atproto.Client, profile *atproto.SailorProfile) error { 112 112 + func UpdateProfile(ctx context.Context, client *atproto.Client, profile *atproto.SailorProfileRecord) error { 114 113 // Normalize defaultHold to DID if it's a URL 115 114 // This ensures we always store DIDs, even if user provides a URL 116 116 - if profile.DefaultHold != nil && *profile.DefaultHold != "" && !atproto.IsDID(*profile.DefaultHold) { 117 117 - normalized := atproto.ResolveHoldDIDFromURL(*profile.DefaultHold) 118 118 - profile.DefaultHold = &normalized 119 119 - slog.Debug("Normalized defaultHold to DID", "component", "profile", "default_hold", normalized) 115 115 + if profile.DefaultHold != "" && !atproto.IsDID(profile.DefaultHold) { 116 116 + profile.DefaultHold = atproto.ResolveHoldDIDFromURL(profile.DefaultHold) 117 117 + slog.Debug("Normalized defaultHold to DID", "component", "profile", "default_hold", profile.DefaultHold) 120 118 } 121 119 122 120 _, err := client.PutRecord(ctx, atproto.SailorProfileCollection, ProfileRKey, profile)

+40 -46

pkg/appview/storage/profile_test.go

··· 39 39 40 40 for _, tt := range tests { 41 41 t.Run(tt.name, func(t *testing.T) { 42 42 - var createdProfile *atproto.SailorProfile 42 42 + var createdProfile *atproto.SailorProfileRecord 43 43 44 44 server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 45 45 // First request: GetRecord (should 404) ··· 95 95 t.Fatal("Profile was not created") 96 96 } 97 97 98 98 - if createdProfile.LexiconTypeID != atproto.SailorProfileCollection { 99 99 - t.Errorf("LexiconTypeID = %v, want %v", createdProfile.LexiconTypeID, atproto.SailorProfileCollection) 98 98 + if createdProfile.Type != atproto.SailorProfileCollection { 99 99 + t.Errorf("Type = %v, want %v", createdProfile.Type, atproto.SailorProfileCollection) 100 100 } 101 101 102 102 - gotDefaultHold := "" 103 103 - if createdProfile.DefaultHold != nil { 104 104 - gotDefaultHold = *createdProfile.DefaultHold 105 105 - } 106 106 - if gotDefaultHold != tt.wantNormalized { 107 107 - t.Errorf("DefaultHold = %v, want %v", gotDefaultHold, tt.wantNormalized) 102 102 + if createdProfile.DefaultHold != tt.wantNormalized { 103 103 + t.Errorf("DefaultHold = %v, want %v", createdProfile.DefaultHold, tt.wantNormalized) 108 104 } 109 105 }) 110 106 } ··· 158 154 name string 159 155 serverResponse string 160 156 serverStatus int 161 161 - wantProfile *atproto.SailorProfile 157 157 + wantProfile *atproto.SailorProfileRecord 162 158 wantNil bool 163 159 wantErr bool 164 160 expectMigration bool // Whether URL-to-DID migration should happen ··· 269 265 } 270 266 271 267 // Check that defaultHold is migrated to DID in returned profile 272 272 - gotDefaultHold := "" 273 273 - if profile.DefaultHold != nil { 274 274 - gotDefaultHold = *profile.DefaultHold 275 275 - } 276 276 - if gotDefaultHold != tt.expectedHoldDID { 277 277 - t.Errorf("DefaultHold = %v, want %v", gotDefaultHold, tt.expectedHoldDID) 268 268 + if profile.DefaultHold != tt.expectedHoldDID { 269 269 + t.Errorf("DefaultHold = %v, want %v", profile.DefaultHold, tt.expectedHoldDID) 278 270 } 279 271 280 272 if tt.expectMigration { ··· 374 366 } 375 367 } 376 368 377 377 - // testSailorProfile creates a test profile with the given default hold 378 378 - func testSailorProfile(defaultHold string) *atproto.SailorProfile { 379 379 - now := time.Now().Format(time.RFC3339) 380 380 - profile := &atproto.SailorProfile{ 381 381 - LexiconTypeID: atproto.SailorProfileCollection, 382 382 - CreatedAt: now, 383 383 - UpdatedAt: &now, 384 384 - } 385 385 - if defaultHold != "" { 386 386 - profile.DefaultHold = &defaultHold 387 387 - } 388 388 - return profile 389 389 - } 390 390 - 391 369 // TestUpdateProfile tests updating a user's profile 392 370 func TestUpdateProfile(t *testing.T) { 393 371 tests := []struct { 394 372 name string 395 395 - profile *atproto.SailorProfile 373 373 + profile *atproto.SailorProfileRecord 396 374 wantNormalized string // Expected defaultHold after normalization 397 375 wantErr bool 398 376 }{ 399 377 { 400 400 - name: "update with DID", 401 401 - profile: testSailorProfile("did:web:hold02.atcr.io"), 378 378 + name: "update with DID", 379 379 + profile: &atproto.SailorProfileRecord{ 380 380 + Type: atproto.SailorProfileCollection, 381 381 + DefaultHold: "did:web:hold02.atcr.io", 382 382 + CreatedAt: time.Now(), 383 383 + UpdatedAt: time.Now(), 384 384 + }, 402 385 wantNormalized: "did:web:hold02.atcr.io", 403 386 wantErr: false, 404 387 }, 405 388 { 406 406 - name: "update with URL - should normalize", 407 407 - profile: testSailorProfile("https://hold02.atcr.io"), 389 389 + name: "update with URL - should normalize", 390 390 + profile: &atproto.SailorProfileRecord{ 391 391 + Type: atproto.SailorProfileCollection, 392 392 + DefaultHold: "https://hold02.atcr.io", 393 393 + CreatedAt: time.Now(), 394 394 + UpdatedAt: time.Now(), 395 395 + }, 408 396 wantNormalized: "did:web:hold02.atcr.io", 409 397 wantErr: false, 410 398 }, 411 399 { 412 412 - name: "clear default hold", 413 413 - profile: testSailorProfile(""), 400 400 + name: "clear default hold", 401 401 + profile: &atproto.SailorProfileRecord{ 402 402 + Type: atproto.SailorProfileCollection, 403 403 + DefaultHold: "", 404 404 + CreatedAt: time.Now(), 405 405 + UpdatedAt: time.Now(), 406 406 + }, 414 407 wantNormalized: "", 415 408 wantErr: false, 416 409 }, ··· 461 454 } 462 455 463 456 // Verify normalization also updated the profile object 464 464 - gotProfileHold := "" 465 465 - if tt.profile.DefaultHold != nil { 466 466 - gotProfileHold = *tt.profile.DefaultHold 467 467 - } 468 468 - if gotProfileHold != tt.wantNormalized { 469 469 - t.Errorf("profile.DefaultHold = %v, want %v (should be updated in-place)", gotProfileHold, tt.wantNormalized) 457 457 + if tt.profile.DefaultHold != tt.wantNormalized { 458 458 + t.Errorf("profile.DefaultHold = %v, want %v (should be updated in-place)", tt.profile.DefaultHold, tt.wantNormalized) 470 459 } 471 460 } 472 461 }) ··· 550 539 t.Fatalf("GetProfile() error = %v", err) 551 540 } 552 541 553 553 - if profile.DefaultHold != nil && *profile.DefaultHold != "" { 554 554 - t.Errorf("DefaultHold = %v, want empty or nil", profile.DefaultHold) 542 542 + if profile.DefaultHold != "" { 543 543 + t.Errorf("DefaultHold = %v, want empty string", profile.DefaultHold) 555 544 } 556 545 } 557 546 ··· 564 553 defer server.Close() 565 554 566 555 client := atproto.NewClient(server.URL, "did:plc:test123", "test-token") 567 567 - profile := testSailorProfile("did:web:hold01.atcr.io") 556 556 + profile := &atproto.SailorProfileRecord{ 557 557 + Type: atproto.SailorProfileCollection, 558 558 + DefaultHold: "did:web:hold01.atcr.io", 559 559 + CreatedAt: time.Now(), 560 560 + UpdatedAt: time.Now(), 561 561 + } 568 562 569 563 err := UpdateProfile(context.Background(), client, profile) 570 564

+26 -28

pkg/appview/storage/proxy_blob_store.go

··· 12 12 "time" 13 13 14 14 "atcr.io/pkg/atproto" 15 15 + "atcr.io/pkg/auth" 15 16 "github.com/distribution/distribution/v3" 16 17 "github.com/distribution/distribution/v3/registry/api/errcode" 17 18 "github.com/opencontainers/go-digest" ··· 32 33 33 34 // ProxyBlobStore proxies blob requests to an external storage service 34 35 type ProxyBlobStore struct { 35 35 - ctx *RegistryContext // All context and services 36 36 - holdURL string // Resolved HTTP URL for XRPC requests 36 36 + ctx *auth.UserContext // User context with identity, target, permissions 37 37 + holdURL string // Resolved HTTP URL for XRPC requests 37 38 httpClient *http.Client 38 39 } 39 40 40 41 // NewProxyBlobStore creates a new proxy blob store 41 41 - func NewProxyBlobStore(ctx *RegistryContext) *ProxyBlobStore { 42 42 + func NewProxyBlobStore(userCtx *auth.UserContext) *ProxyBlobStore { 42 43 // Resolve DID to URL once at construction time 43 43 - holdURL := atproto.ResolveHoldURL(ctx.HoldDID) 44 44 + holdURL := atproto.ResolveHoldURL(userCtx.TargetHoldDID) 44 45 45 45 - slog.Debug("NewProxyBlobStore created", "component", "proxy_blob_store", "hold_did", ctx.HoldDID, "hold_url", holdURL, "user_did", ctx.DID, "repo", ctx.Repository) 46 46 + slog.Debug("NewProxyBlobStore created", "component", "proxy_blob_store", "hold_did", userCtx.TargetHoldDID, "hold_url", holdURL, "user_did", userCtx.TargetOwnerDID, "repo", userCtx.TargetRepo) 46 47 47 48 return &ProxyBlobStore{ 48 48 - ctx: ctx, 49 49 + ctx: userCtx, 49 50 holdURL: holdURL, 50 51 httpClient: &http.Client{ 51 52 Timeout: 5 * time.Minute, // Timeout for presigned URL requests and uploads ··· 61 62 } 62 63 63 64 // doAuthenticatedRequest performs an HTTP request with service token authentication 64 64 - // Uses the service token from middleware to authenticate requests to the hold service 65 65 + // Uses the service token from UserContext to authenticate requests to the hold service 65 66 func (p *ProxyBlobStore) doAuthenticatedRequest(ctx context.Context, req *http.Request) (*http.Response, error) { 66 66 - // Use service token that middleware already validated and cached 67 67 - // Middleware fails fast with HTTP 401 if OAuth session is invalid 68 68 - if p.ctx.ServiceToken == "" { 67 67 + // Get service token from UserContext (lazy-loaded and cached per holdDID) 68 68 + serviceToken, err := p.ctx.GetServiceToken(ctx) 69 69 + if err != nil { 70 70 + slog.Error("Failed to get service token", "component", "proxy_blob_store", "did", p.ctx.DID, "error", err) 71 71 + return nil, fmt.Errorf("failed to get service token: %w", err) 72 72 + } 73 73 + if serviceToken == "" { 69 74 // Should never happen - middleware validates OAuth before handlers run 70 75 slog.Error("No service token in context", "component", "proxy_blob_store", "did", p.ctx.DID) 71 76 return nil, fmt.Errorf("no service token available (middleware should have validated)") 72 77 } 73 78 74 79 // Add Bearer token to Authorization header 75 75 - req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", p.ctx.ServiceToken)) 80 80 + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", serviceToken)) 76 81 77 82 return p.httpClient.Do(req) 78 83 } 79 84 80 85 // checkReadAccess validates that the user has read access to blobs in this hold 81 86 func (p *ProxyBlobStore) checkReadAccess(ctx context.Context) error { 82 82 - if p.ctx.Authorizer == nil { 83 83 - return nil // No authorization check if authorizer not configured 84 84 - } 85 85 - allowed, err := p.ctx.Authorizer.CheckReadAccess(ctx, p.ctx.HoldDID, p.ctx.DID) 87 87 + canRead, err := p.ctx.CanRead(ctx) 86 88 if err != nil { 87 89 return fmt.Errorf("authorization check failed: %w", err) 88 90 } 89 89 - if !allowed { 91 91 + if !canRead { 90 92 // Return 403 Forbidden instead of masquerading as missing blob 91 93 return errcode.ErrorCodeDenied.WithMessage("read access denied") 92 94 } ··· 95 97 96 98 // checkWriteAccess validates that the user has write access to blobs in this hold 97 99 func (p *ProxyBlobStore) checkWriteAccess(ctx context.Context) error { 98 98 - if p.ctx.Authorizer == nil { 99 99 - return nil // No authorization check if authorizer not configured 100 100 - } 101 101 - 102 102 - slog.Debug("Checking write access", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.HoldDID) 103 103 - allowed, err := p.ctx.Authorizer.CheckWriteAccess(ctx, p.ctx.HoldDID, p.ctx.DID) 100 100 + slog.Debug("Checking write access", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.TargetHoldDID) 101 101 + canWrite, err := p.ctx.CanWrite(ctx) 104 102 if err != nil { 105 103 slog.Error("Authorization check error", "component", "proxy_blob_store", "error", err) 106 104 return fmt.Errorf("authorization check failed: %w", err) 107 105 } 108 108 - if !allowed { 109 109 - slog.Warn("Write access denied", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.HoldDID) 110 110 - return errcode.ErrorCodeDenied.WithMessage(fmt.Sprintf("write access denied to hold %s", p.ctx.HoldDID)) 106 106 + if !canWrite { 107 107 + slog.Warn("Write access denied", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.TargetHoldDID) 108 108 + return errcode.ErrorCodeDenied.WithMessage(fmt.Sprintf("write access denied to hold %s", p.ctx.TargetHoldDID)) 111 109 } 112 112 - slog.Debug("Write access allowed", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.HoldDID) 110 110 + slog.Debug("Write access allowed", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.TargetHoldDID) 113 111 return nil 114 112 } 115 113 ··· 356 354 // getPresignedURL returns the XRPC endpoint URL for blob operations 357 355 func (p *ProxyBlobStore) getPresignedURL(ctx context.Context, operation string, dgst digest.Digest) (string, error) { 358 356 // Use XRPC endpoint: /xrpc/com.atproto.sync.getBlob?did={userDID}&cid={digest} 359 359 - // The 'did' parameter is the USER's DID (whose blob we're fetching), not the hold service DID 357 357 + // The 'did' parameter is the TARGET OWNER's DID (whose blob we're fetching), not the hold service DID 360 358 // Per migration doc: hold accepts OCI digest directly as cid parameter (checks for sha256: prefix) 361 359 xrpcURL := fmt.Sprintf("%s%s?did=%s&cid=%s&method=%s", 362 362 - p.holdURL, atproto.SyncGetBlob, p.ctx.DID, dgst.String(), operation) 360 360 + p.holdURL, atproto.SyncGetBlob, p.ctx.TargetOwnerDID, dgst.String(), operation) 363 361 364 362 req, err := http.NewRequestWithContext(ctx, "GET", xrpcURL, nil) 365 363 if err != nil {

+78 -420

pkg/appview/storage/proxy_blob_store_test.go

··· 1 1 package storage 2 2 3 3 import ( 4 4 - "context" 5 4 "encoding/base64" 6 6 - "encoding/json" 7 5 "fmt" 8 8 - "net/http" 9 9 - "net/http/httptest" 10 6 "strings" 11 7 "testing" 12 8 "time" 13 9 14 10 "atcr.io/pkg/atproto" 15 15 - "atcr.io/pkg/auth/token" 16 16 - "github.com/opencontainers/go-digest" 11 11 + "atcr.io/pkg/auth" 17 12 ) 18 13 19 19 - // TestGetServiceToken_CachingLogic tests the token caching mechanism 14 14 + // TestGetServiceToken_CachingLogic tests the global service token caching mechanism 15 15 + // These tests use the global auth cache functions directly 20 16 func TestGetServiceToken_CachingLogic(t *testing.T) { 21 21 - userDID := "did:plc:test" 17 17 + userDID := "did:plc:cache-test" 22 18 holdDID := "did:web:hold.example.com" 23 19 24 20 // Test 1: Empty cache - invalidate any existing token 25 25 - token.InvalidateServiceToken(userDID, holdDID) 26 26 - cachedToken, _ := token.GetServiceToken(userDID, holdDID) 21 21 + auth.InvalidateServiceToken(userDID, holdDID) 22 22 + cachedToken, _ := auth.GetServiceToken(userDID, holdDID) 27 23 if cachedToken != "" { 28 24 t.Error("Expected empty cache at start") 29 25 } 30 26 31 27 // Test 2: Insert token into cache 32 28 // Create a JWT-like token with exp claim for testing 33 33 - // Format: header.payload.signature where payload has exp claim 34 29 testPayload := fmt.Sprintf(`{"exp":%d}`, time.Now().Add(50*time.Second).Unix()) 35 30 testToken := "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(testPayload) + ".signature" 36 31 37 37 - err := token.SetServiceToken(userDID, holdDID, testToken) 32 32 + err := auth.SetServiceToken(userDID, holdDID, testToken) 38 33 if err != nil { 39 34 t.Fatalf("Failed to set service token: %v", err) 40 35 } 41 36 42 37 // Test 3: Retrieve from cache 43 43 - cachedToken, expiresAt := token.GetServiceToken(userDID, holdDID) 38 38 + cachedToken, expiresAt := auth.GetServiceToken(userDID, holdDID) 44 39 if cachedToken == "" { 45 40 t.Fatal("Expected token to be in cache") 46 41 } ··· 56 51 // Test 4: Expired token - GetServiceToken automatically removes it 57 52 expiredPayload := fmt.Sprintf(`{"exp":%d}`, time.Now().Add(-1*time.Hour).Unix()) 58 53 expiredToken := "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(expiredPayload) + ".signature" 59 59 - token.SetServiceToken(userDID, holdDID, expiredToken) 54 54 + auth.SetServiceToken(userDID, holdDID, expiredToken) 60 55 61 56 // GetServiceToken should return empty string for expired token 62 62 - cachedToken, _ = token.GetServiceToken(userDID, holdDID) 57 57 + cachedToken, _ = auth.GetServiceToken(userDID, holdDID) 63 58 if cachedToken != "" { 64 59 t.Error("Expected expired token to be removed from cache") 65 60 } ··· 70 65 return strings.TrimRight(base64.URLEncoding.EncodeToString([]byte(data)), "=") 71 66 } 72 67 73 73 - // TestServiceToken_EmptyInContext tests that operations fail when service token is missing 74 74 - func TestServiceToken_EmptyInContext(t *testing.T) { 75 75 - ctx := &RegistryContext{ 76 76 - DID: "did:plc:test", 77 77 - HoldDID: "did:web:hold.example.com", 78 78 - PDSEndpoint: "https://pds.example.com", 79 79 - Repository: "test-repo", 80 80 - ServiceToken: "", // No service token (middleware didn't set it) 81 81 - Refresher: nil, 82 82 - } 68 68 + // mockUserContextForProxy creates a mock auth.UserContext for proxy blob store testing. 69 69 + // It sets up both the user identity and target info, and configures test helpers 70 70 + // to bypass network calls. 71 71 + func mockUserContextForProxy(did, holdDID, pdsEndpoint, repository string) *auth.UserContext { 72 72 + userCtx := auth.NewUserContext(did, "oauth", "PUT", nil) 73 73 + userCtx.SetTarget(did, "test.handle", pdsEndpoint, repository, holdDID) 83 74 84 84 - store := NewProxyBlobStore(ctx) 75 75 + // Bypass PDS resolution (avoids network calls) 76 76 + userCtx.SetPDSForTest("test.handle", pdsEndpoint) 85 77 86 86 - // Try a write operation that requires authentication 87 87 - testDigest := digest.FromString("test-content") 88 88 - _, err := store.Stat(context.Background(), testDigest) 78 78 + // Set up mock authorizer that allows access 79 79 + userCtx.SetAuthorizerForTest(auth.NewMockHoldAuthorizer()) 89 80 90 90 - // Should fail because no service token is available 91 91 - if err == nil { 92 92 - t.Error("Expected error when service token is empty") 93 93 - } 81 81 + // Set default hold DID for push resolution 82 82 + userCtx.SetDefaultHoldDIDForTest(holdDID) 94 83 95 95 - // Error should indicate authentication issue 96 96 - if !strings.Contains(err.Error(), "UNAUTHORIZED") && !strings.Contains(err.Error(), "authentication") { 97 97 - t.Logf("Got error (acceptable): %v", err) 98 98 - } 84 84 + return userCtx 99 85 } 100 86 101 101 - // TestDoAuthenticatedRequest_BearerTokenInjection tests that Bearer tokens are added to requests 102 102 - func TestDoAuthenticatedRequest_BearerTokenInjection(t *testing.T) { 103 103 - // This test verifies the Bearer token injection logic 104 104 - 105 105 - testToken := "test-bearer-token-xyz" 106 106 - 107 107 - // Create a test server to verify the Authorization header 108 108 - var receivedAuthHeader string 109 109 - testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 110 110 - receivedAuthHeader = r.Header.Get("Authorization") 111 111 - w.WriteHeader(http.StatusOK) 112 112 - })) 113 113 - defer testServer.Close() 114 114 - 115 115 - // Create ProxyBlobStore with service token in context (set by middleware) 116 116 - ctx := &RegistryContext{ 117 117 - DID: "did:plc:bearer-test", 118 118 - HoldDID: "did:web:hold.example.com", 119 119 - PDSEndpoint: "https://pds.example.com", 120 120 - Repository: "test-repo", 121 121 - ServiceToken: testToken, // Service token from middleware 122 122 - Refresher: nil, 123 123 - } 124 124 - 125 125 - store := NewProxyBlobStore(ctx) 126 126 - 127 127 - // Create request 128 128 - req, err := http.NewRequest(http.MethodGet, testServer.URL+"/test", nil) 129 129 - if err != nil { 130 130 - t.Fatalf("Failed to create request: %v", err) 131 131 - } 132 132 - 133 133 - // Do authenticated request 134 134 - resp, err := store.doAuthenticatedRequest(context.Background(), req) 135 135 - if err != nil { 136 136 - t.Fatalf("doAuthenticatedRequest failed: %v", err) 137 137 - } 138 138 - defer resp.Body.Close() 139 139 - 140 140 - // Verify Bearer token was added 141 141 - expectedHeader := "Bearer " + testToken 142 142 - if receivedAuthHeader != expectedHeader { 143 143 - t.Errorf("Expected Authorization header %s, got %s", expectedHeader, receivedAuthHeader) 144 144 - } 87 87 + // mockUserContextForProxyWithToken creates a mock UserContext with a pre-populated service token. 88 88 + func mockUserContextForProxyWithToken(did, holdDID, pdsEndpoint, repository, serviceToken string) *auth.UserContext { 89 89 + userCtx := mockUserContextForProxy(did, holdDID, pdsEndpoint, repository) 90 90 + userCtx.SetServiceTokenForTest(holdDID, serviceToken) 91 91 + return userCtx 145 92 } 146 93 147 147 - // TestDoAuthenticatedRequest_ErrorWhenTokenUnavailable tests that authentication failures return proper errors 148 148 - func TestDoAuthenticatedRequest_ErrorWhenTokenUnavailable(t *testing.T) { 149 149 - // Create test server (should not be called since auth fails first) 150 150 - called := false 151 151 - testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 152 152 - called = true 153 153 - w.WriteHeader(http.StatusOK) 154 154 - })) 155 155 - defer testServer.Close() 156 156 - 157 157 - // Create ProxyBlobStore without service token (middleware didn't set it) 158 158 - ctx := &RegistryContext{ 159 159 - DID: "did:plc:fallback", 160 160 - HoldDID: "did:web:hold.example.com", 161 161 - PDSEndpoint: "https://pds.example.com", 162 162 - Repository: "test-repo", 163 163 - ServiceToken: "", // No service token 164 164 - Refresher: nil, 165 165 - } 166 166 - 167 167 - store := NewProxyBlobStore(ctx) 168 168 - 169 169 - // Create request 170 170 - req, err := http.NewRequest(http.MethodGet, testServer.URL+"/test", nil) 171 171 - if err != nil { 172 172 - t.Fatalf("Failed to create request: %v", err) 173 173 - } 174 174 - 175 175 - // Do authenticated request - should fail when no service token 176 176 - resp, err := store.doAuthenticatedRequest(context.Background(), req) 177 177 - if err == nil { 178 178 - t.Fatal("Expected doAuthenticatedRequest to fail when no service token is available") 179 179 - } 180 180 - if resp != nil { 181 181 - resp.Body.Close() 182 182 - } 183 183 - 184 184 - // Verify error indicates authentication/authorization issue 185 185 - errStr := err.Error() 186 186 - if !strings.Contains(errStr, "service token") && !strings.Contains(errStr, "UNAUTHORIZED") { 187 187 - t.Errorf("Expected service token or unauthorized error, got: %v", err) 188 188 - } 189 189 - 190 190 - if called { 191 191 - t.Error("Expected request to NOT be made when authentication fails") 192 192 - } 193 193 - } 194 194 - 195 195 - // TestResolveHoldURL tests DID to URL conversion 94 94 + // TestResolveHoldURL tests DID to URL conversion (pure function) 196 95 func TestResolveHoldURL(t *testing.T) { 197 96 tests := []struct { 198 97 name string ··· 200 99 expected string 201 100 }{ 202 101 { 203 203 - name: "did:web with http (TEST_MODE)", 102 102 + name: "did:web with http (localhost)", 204 103 holdDID: "did:web:localhost:8080", 205 104 expected: "http://localhost:8080", 206 105 }, ··· 228 127 229 128 // TestServiceTokenCacheExpiry tests that expired cached tokens are not used 230 129 func TestServiceTokenCacheExpiry(t *testing.T) { 231 231 - userDID := "did:plc:expiry" 130 130 + userDID := "did:plc:expiry-test" 232 131 holdDID := "did:web:hold.example.com" 233 132 234 133 // Insert expired token 235 134 expiredPayload := fmt.Sprintf(`{"exp":%d}`, time.Now().Add(-1*time.Hour).Unix()) 236 135 expiredToken := "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(expiredPayload) + ".signature" 237 237 - token.SetServiceToken(userDID, holdDID, expiredToken) 136 136 + auth.SetServiceToken(userDID, holdDID, expiredToken) 238 137 239 138 // GetServiceToken should automatically remove expired tokens 240 240 - cachedToken, expiresAt := token.GetServiceToken(userDID, holdDID) 139 139 + cachedToken, expiresAt := auth.GetServiceToken(userDID, holdDID) 241 140 242 141 // Should return empty string for expired token 243 142 if cachedToken != "" { ··· 272 171 273 172 // TestNewProxyBlobStore tests ProxyBlobStore creation 274 173 func TestNewProxyBlobStore(t *testing.T) { 275 275 - ctx := &RegistryContext{ 276 276 - DID: "did:plc:test", 277 277 - HoldDID: "did:web:hold.example.com", 278 278 - PDSEndpoint: "https://pds.example.com", 279 279 - Repository: "test-repo", 280 280 - } 174 174 + userCtx := mockUserContextForProxy( 175 175 + "did:plc:test", 176 176 + "did:web:hold.example.com", 177 177 + "https://pds.example.com", 178 178 + "test-repo", 179 179 + ) 281 180 282 282 - store := NewProxyBlobStore(ctx) 181 181 + store := NewProxyBlobStore(userCtx) 283 182 284 183 if store == nil { 285 184 t.Fatal("Expected non-nil ProxyBlobStore") 286 185 } 287 186 288 288 - if store.ctx != ctx { 187 187 + if store.ctx != userCtx { 289 188 t.Error("Expected context to be set") 290 189 } 291 190 ··· 310 209 311 210 testPayload := fmt.Sprintf(`{"exp":%d}`, time.Now().Add(50*time.Second).Unix()) 312 211 testTokenStr := "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(testPayload) + ".signature" 313 313 - token.SetServiceToken(userDID, holdDID, testTokenStr) 212 212 + auth.SetServiceToken(userDID, holdDID, testTokenStr) 314 213 315 214 for b.Loop() { 316 316 - cachedToken, expiresAt := token.GetServiceToken(userDID, holdDID) 215 215 + cachedToken, expiresAt := auth.GetServiceToken(userDID, holdDID) 317 216 318 217 if cachedToken == "" || time.Now().After(expiresAt) { 319 218 b.Error("Cache miss in benchmark") ··· 321 220 } 322 221 } 323 222 324 324 - // TestCompleteMultipartUpload_JSONFormat verifies the JSON request format sent to hold service 325 325 - // This test would have caught the "partNumber" vs "part_number" bug 326 326 - func TestCompleteMultipartUpload_JSONFormat(t *testing.T) { 327 327 - var capturedBody map[string]any 328 328 - 329 329 - // Mock hold service that captures the request body 330 330 - holdServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 331 331 - if !strings.Contains(r.URL.Path, atproto.HoldCompleteUpload) { 332 332 - t.Errorf("Wrong endpoint called: %s", r.URL.Path) 333 333 - } 334 334 - 335 335 - // Capture request body 336 336 - var body map[string]any 337 337 - if err := json.NewDecoder(r.Body).Decode(&body); err != nil { 338 338 - t.Errorf("Failed to decode request body: %v", err) 339 339 - } 340 340 - capturedBody = body 341 341 - 342 342 - w.Header().Set("Content-Type", "application/json") 343 343 - w.WriteHeader(http.StatusOK) 344 344 - w.Write([]byte(`{}`)) 345 345 - })) 346 346 - defer holdServer.Close() 347 347 - 348 348 - // Create store with mocked hold URL 349 349 - ctx := &RegistryContext{ 350 350 - DID: "did:plc:test", 351 351 - HoldDID: "did:web:hold.example.com", 352 352 - PDSEndpoint: "https://pds.example.com", 353 353 - Repository: "test-repo", 354 354 - ServiceToken: "test-service-token", // Service token from middleware 355 355 - } 356 356 - store := NewProxyBlobStore(ctx) 357 357 - store.holdURL = holdServer.URL 358 358 - 359 359 - // Call completeMultipartUpload 360 360 - parts := []CompletedPart{ 361 361 - {PartNumber: 1, ETag: "etag-1"}, 362 362 - {PartNumber: 2, ETag: "etag-2"}, 363 363 - } 364 364 - err := store.completeMultipartUpload(context.Background(), "sha256:abc123", "upload-id-xyz", parts) 365 365 - if err != nil { 366 366 - t.Fatalf("completeMultipartUpload failed: %v", err) 367 367 - } 368 368 - 369 369 - // Verify JSON format 370 370 - if capturedBody == nil { 371 371 - t.Fatal("No request body was captured") 372 372 - } 373 373 - 374 374 - // Check top-level fields 375 375 - if uploadID, ok := capturedBody["uploadId"].(string); !ok || uploadID != "upload-id-xyz" { 376 376 - t.Errorf("Expected uploadId='upload-id-xyz', got %v", capturedBody["uploadId"]) 377 377 - } 378 378 - if digest, ok := capturedBody["digest"].(string); !ok || digest != "sha256:abc123" { 379 379 - t.Errorf("Expected digest='sha256:abc123', got %v", capturedBody["digest"]) 380 380 - } 381 381 - 382 382 - // Check parts array 383 383 - partsArray, ok := capturedBody["parts"].([]any) 384 384 - if !ok { 385 385 - t.Fatalf("Expected parts to be array, got %T", capturedBody["parts"]) 386 386 - } 387 387 - if len(partsArray) != 2 { 388 388 - t.Fatalf("Expected 2 parts, got %d", len(partsArray)) 389 389 - } 390 390 - 391 391 - // Verify first part has "part_number" (not "partNumber") 392 392 - part0, ok := partsArray[0].(map[string]any) 393 393 - if !ok { 394 394 - t.Fatalf("Expected part to be object, got %T", partsArray[0]) 395 395 - } 396 396 - 397 397 - // THIS IS THE KEY CHECK - would have caught the bug 398 398 - if _, hasPartNumber := part0["partNumber"]; hasPartNumber { 399 399 - t.Error("Found 'partNumber' (camelCase) - should be 'part_number' (snake_case)") 400 400 - } 401 401 - if partNum, ok := part0["part_number"].(float64); !ok || int(partNum) != 1 { 402 402 - t.Errorf("Expected part_number=1, got %v", part0["part_number"]) 403 403 - } 404 404 - if etag, ok := part0["etag"].(string); !ok || etag != "etag-1" { 405 405 - t.Errorf("Expected etag='etag-1', got %v", part0["etag"]) 406 406 - } 407 407 - } 223 223 + // TestParseJWTExpiry tests JWT expiry parsing 224 224 + func TestParseJWTExpiry(t *testing.T) { 225 225 + // Create a JWT with known expiry 226 226 + futureTime := time.Now().Add(1 * time.Hour).Unix() 227 227 + testPayload := fmt.Sprintf(`{"exp":%d}`, futureTime) 228 228 + testToken := "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(testPayload) + ".signature" 408 229 409 409 - // TestGet_UsesPresignedURLDirectly verifies that Get() doesn't add auth headers to presigned URLs 410 410 - // This test would have caught the presigned URL authentication bug 411 411 - func TestGet_UsesPresignedURLDirectly(t *testing.T) { 412 412 - blobData := []byte("test blob content") 413 413 - var s3ReceivedAuthHeader string 414 414 - 415 415 - // Mock S3 server that rejects requests with Authorization header 416 416 - s3Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 417 417 - s3ReceivedAuthHeader = r.Header.Get("Authorization") 418 418 - 419 419 - // Presigned URLs should NOT have Authorization header 420 420 - if s3ReceivedAuthHeader != "" { 421 421 - t.Errorf("S3 received Authorization header: %s (should be empty for presigned URLs)", s3ReceivedAuthHeader) 422 422 - w.WriteHeader(http.StatusForbidden) 423 423 - w.Write([]byte(`<?xml version="1.0"?><Error><Code>SignatureDoesNotMatch</Code></Error>`)) 424 424 - return 425 425 - } 426 426 - 427 427 - // Return blob data 428 428 - w.WriteHeader(http.StatusOK) 429 429 - w.Write(blobData) 430 430 - })) 431 431 - defer s3Server.Close() 432 432 - 433 433 - // Mock hold service that returns presigned S3 URL 434 434 - holdServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 435 435 - // Return presigned URL pointing to S3 server 436 436 - w.Header().Set("Content-Type", "application/json") 437 437 - w.WriteHeader(http.StatusOK) 438 438 - resp := map[string]string{ 439 439 - "url": s3Server.URL + "/blob?X-Amz-Signature=fake-signature", 440 440 - } 441 441 - json.NewEncoder(w).Encode(resp) 442 442 - })) 443 443 - defer holdServer.Close() 444 444 - 445 445 - // Create store with service token in context 446 446 - ctx := &RegistryContext{ 447 447 - DID: "did:plc:test", 448 448 - HoldDID: "did:web:hold.example.com", 449 449 - PDSEndpoint: "https://pds.example.com", 450 450 - Repository: "test-repo", 451 451 - ServiceToken: "test-service-token", // Service token from middleware 452 452 - } 453 453 - store := NewProxyBlobStore(ctx) 454 454 - store.holdURL = holdServer.URL 455 455 - 456 456 - // Call Get() 457 457 - dgst := digest.FromBytes(blobData) 458 458 - retrieved, err := store.Get(context.Background(), dgst) 230 230 + expiry, err := auth.ParseJWTExpiry(testToken) 459 231 if err != nil { 460 460 - t.Fatalf("Get() failed: %v", err) 232 232 + t.Fatalf("ParseJWTExpiry failed: %v", err) 461 233 } 462 234 463 463 - // Verify correct data was retrieved 464 464 - if string(retrieved) != string(blobData) { 465 465 - t.Errorf("Expected data=%s, got %s", string(blobData), string(retrieved)) 466 466 - } 467 467 - 468 468 - // Verify S3 received NO Authorization header 469 469 - if s3ReceivedAuthHeader != "" { 470 470 - t.Errorf("S3 should not receive Authorization header for presigned URLs, got: %s", s3ReceivedAuthHeader) 235 235 + // Verify expiry is close to what we set (within 1 second tolerance) 236 236 + expectedExpiry := time.Unix(futureTime, 0) 237 237 + diff := expiry.Sub(expectedExpiry) 238 238 + if diff < -time.Second || diff > time.Second { 239 239 + t.Errorf("Expiry mismatch: expected %v, got %v", expectedExpiry, expiry) 471 240 } 472 241 } 473 242 474 474 - // TestOpen_UsesPresignedURLDirectly verifies that Open() doesn't add auth headers to presigned URLs 475 475 - // This test would have caught the presigned URL authentication bug 476 476 - func TestOpen_UsesPresignedURLDirectly(t *testing.T) { 477 477 - blobData := []byte("test blob stream content") 478 478 - var s3ReceivedAuthHeader string 479 479 - 480 480 - // Mock S3 server 481 481 - s3Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 482 482 - s3ReceivedAuthHeader = r.Header.Get("Authorization") 483 483 - 484 484 - // Presigned URLs should NOT have Authorization header 485 485 - if s3ReceivedAuthHeader != "" { 486 486 - t.Errorf("S3 received Authorization header: %s (should be empty)", s3ReceivedAuthHeader) 487 487 - w.WriteHeader(http.StatusForbidden) 488 488 - return 489 489 - } 490 490 - 491 491 - w.WriteHeader(http.StatusOK) 492 492 - w.Write(blobData) 493 493 - })) 494 494 - defer s3Server.Close() 495 495 - 496 496 - // Mock hold service 497 497 - holdServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 498 498 - w.Header().Set("Content-Type", "application/json") 499 499 - w.WriteHeader(http.StatusOK) 500 500 - json.NewEncoder(w).Encode(map[string]string{ 501 501 - "url": s3Server.URL + "/blob?X-Amz-Signature=fake", 502 502 - }) 503 503 - })) 504 504 - defer holdServer.Close() 505 505 - 506 506 - // Create store with service token in context 507 507 - ctx := &RegistryContext{ 508 508 - DID: "did:plc:test", 509 509 - HoldDID: "did:web:hold.example.com", 510 510 - PDSEndpoint: "https://pds.example.com", 511 511 - Repository: "test-repo", 512 512 - ServiceToken: "test-service-token", // Service token from middleware 513 513 - } 514 514 - store := NewProxyBlobStore(ctx) 515 515 - store.holdURL = holdServer.URL 516 516 - 517 517 - // Call Open() 518 518 - dgst := digest.FromBytes(blobData) 519 519 - reader, err := store.Open(context.Background(), dgst) 520 520 - if err != nil { 521 521 - t.Fatalf("Open() failed: %v", err) 522 522 - } 523 523 - defer reader.Close() 524 524 - 525 525 - // Verify S3 received NO Authorization header 526 526 - if s3ReceivedAuthHeader != "" { 527 527 - t.Errorf("S3 should not receive Authorization header for presigned URLs, got: %s", s3ReceivedAuthHeader) 528 528 - } 529 529 - } 530 530 - 531 531 - // TestMultipartEndpoints_CorrectURLs verifies all multipart XRPC endpoints use correct URLs 532 532 - // This would have caught the old com.atproto.repo.uploadBlob vs new io.atcr.hold.* endpoints 533 533 - func TestMultipartEndpoints_CorrectURLs(t *testing.T) { 243 243 + // TestParseJWTExpiry_InvalidToken tests error handling for invalid tokens 244 244 + func TestParseJWTExpiry_InvalidToken(t *testing.T) { 534 245 tests := []struct { 535 535 - name string 536 536 - testFunc func(*ProxyBlobStore) error 537 537 - expectedPath string 246 246 + name string 247 247 + token string 538 248 }{ 539 539 - { 540 540 - name: "startMultipartUpload", 541 541 - testFunc: func(store *ProxyBlobStore) error { 542 542 - _, err := store.startMultipartUpload(context.Background(), "sha256:test") 543 543 - return err 544 544 - }, 545 545 - expectedPath: atproto.HoldInitiateUpload, 546 546 - }, 547 547 - { 548 548 - name: "getPartUploadInfo", 549 549 - testFunc: func(store *ProxyBlobStore) error { 550 550 - _, err := store.getPartUploadInfo(context.Background(), "sha256:test", "upload-123", 1) 551 551 - return err 552 552 - }, 553 553 - expectedPath: atproto.HoldGetPartUploadURL, 554 554 - }, 555 555 - { 556 556 - name: "completeMultipartUpload", 557 557 - testFunc: func(store *ProxyBlobStore) error { 558 558 - parts := []CompletedPart{{PartNumber: 1, ETag: "etag1"}} 559 559 - return store.completeMultipartUpload(context.Background(), "sha256:test", "upload-123", parts) 560 560 - }, 561 561 - expectedPath: atproto.HoldCompleteUpload, 562 562 - }, 563 563 - { 564 564 - name: "abortMultipartUpload", 565 565 - testFunc: func(store *ProxyBlobStore) error { 566 566 - return store.abortMultipartUpload(context.Background(), "sha256:test", "upload-123") 567 567 - }, 568 568 - expectedPath: atproto.HoldAbortUpload, 569 569 - }, 249 249 + {"empty token", ""}, 250 250 + {"single part", "header"}, 251 251 + {"two parts", "header.payload"}, 252 252 + {"invalid base64 payload", "header.!!!.signature"}, 253 253 + {"missing exp claim", "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(`{"sub":"test"}`) + ".sig"}, 570 254 } 571 255 572 256 for _, tt := range tests { 573 257 t.Run(tt.name, func(t *testing.T) { 574 574 - var capturedPath string 575 575 - 576 576 - // Mock hold service that captures request path 577 577 - holdServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 578 578 - capturedPath = r.URL.Path 579 579 - 580 580 - // Return success response 581 581 - w.Header().Set("Content-Type", "application/json") 582 582 - w.WriteHeader(http.StatusOK) 583 583 - resp := map[string]string{ 584 584 - "uploadId": "test-upload-id", 585 585 - "url": "https://s3.example.com/presigned", 586 586 - } 587 587 - json.NewEncoder(w).Encode(resp) 588 588 - })) 589 589 - defer holdServer.Close() 590 590 - 591 591 - // Create store with service token in context 592 592 - ctx := &RegistryContext{ 593 593 - DID: "did:plc:test", 594 594 - HoldDID: "did:web:hold.example.com", 595 595 - PDSEndpoint: "https://pds.example.com", 596 596 - Repository: "test-repo", 597 597 - ServiceToken: "test-service-token", // Service token from middleware 598 598 - } 599 599 - store := NewProxyBlobStore(ctx) 600 600 - store.holdURL = holdServer.URL 601 601 - 602 602 - // Call the function 603 603 - _ = tt.testFunc(store) // Ignore error, we just care about the URL 604 604 - 605 605 - // Verify correct endpoint was called 606 606 - if capturedPath != tt.expectedPath { 607 607 - t.Errorf("Expected endpoint %s, got %s", tt.expectedPath, capturedPath) 608 608 - } 609 609 - 610 610 - // Verify it's NOT the old endpoint 611 611 - if strings.Contains(capturedPath, "com.atproto.repo.uploadBlob") { 612 612 - t.Error("Still using old com.atproto.repo.uploadBlob endpoint!") 258 258 + _, err := auth.ParseJWTExpiry(tt.token) 259 259 + if err == nil { 260 260 + t.Error("Expected error for invalid token") 613 261 } 614 262 }) 615 263 } 616 264 } 265 265 + 266 266 + // Note: Tests for doAuthenticatedRequest, Get, Open, completeMultipartUpload, etc. 267 267 + // require complex dependency mocking (OAuth refresher, PDS resolution, HoldAuthorizer). 268 268 + // These should be tested at the integration level with proper infrastructure. 269 269 + // 270 270 + // The current unit tests cover: 271 271 + // - Global service token cache (auth.GetServiceToken, auth.SetServiceToken, etc.) 272 272 + // - URL resolution (atproto.ResolveHoldURL) 273 273 + // - JWT parsing (auth.ParseJWTExpiry) 274 274 + // - Store construction (NewProxyBlobStore)

+39 -74

pkg/appview/storage/routing_repository.go

··· 6 6 7 7 import ( 8 8 "context" 9 9 + "database/sql" 9 10 "log/slog" 10 10 - "sync" 11 11 12 12 + "atcr.io/pkg/auth" 12 13 "github.com/distribution/distribution/v3" 14 14 + "github.com/distribution/reference" 13 15 ) 14 16 15 15 - // RoutingRepository routes manifests to ATProto and blobs to external hold service 16 16 - // The registry (AppView) is stateless and NEVER stores blobs locally 17 17 + // RoutingRepository routes manifests to ATProto and blobs to external hold service. 18 18 + // The registry (AppView) is stateless and NEVER stores blobs locally. 19 19 + // A new instance is created per HTTP request - no caching or synchronization needed. 17 20 type RoutingRepository struct { 18 21 distribution.Repository 19 19 - Ctx *RegistryContext // All context and services (exported for token updates) 20 20 - mu sync.Mutex // Protects manifestStore and blobStore 21 21 - manifestStore *ManifestStore // Cached manifest store instance 22 22 - blobStore *ProxyBlobStore // Cached blob store instance 22 22 + userCtx *auth.UserContext 23 23 + sqlDB *sql.DB 23 24 } 24 25 25 26 // NewRoutingRepository creates a new routing repository 26 26 - func NewRoutingRepository(baseRepo distribution.Repository, ctx *RegistryContext) *RoutingRepository { 27 27 + func NewRoutingRepository(baseRepo distribution.Repository, userCtx *auth.UserContext, sqlDB *sql.DB) *RoutingRepository { 27 28 return &RoutingRepository{ 28 29 Repository: baseRepo, 29 29 - Ctx: ctx, 30 30 + userCtx: userCtx, 31 31 + sqlDB: sqlDB, 30 32 } 31 33 } 32 34 33 35 // Manifests returns the ATProto-backed manifest service 34 36 func (r *RoutingRepository) Manifests(ctx context.Context, options ...distribution.ManifestServiceOption) (distribution.ManifestService, error) { 35 35 - r.mu.Lock() 36 36 - // Create or return cached manifest store 37 37 - if r.manifestStore == nil { 38 38 - // Ensure blob store is created first (needed for label extraction during push) 39 39 - // Release lock while calling Blobs to avoid deadlock 40 40 - r.mu.Unlock() 41 41 - blobStore := r.Blobs(ctx) 42 42 - r.mu.Lock() 43 43 - 44 44 - // Double-check after reacquiring lock (another goroutine might have set it) 45 45 - if r.manifestStore == nil { 46 46 - r.manifestStore = NewManifestStore(r.Ctx, blobStore) 47 47 - } 48 48 - } 49 49 - manifestStore := r.manifestStore 50 50 - r.mu.Unlock() 51 51 - 52 52 - return manifestStore, nil 37 37 + // blobStore used to fetch labels from th 38 38 + blobStore := r.Blobs(ctx) 39 39 + return NewManifestStore(r.userCtx, blobStore, r.sqlDB), nil 53 40 } 54 41 55 42 // Blobs returns a proxy blob store that routes to external hold service 56 56 - // The registry (AppView) NEVER stores blobs locally - all blobs go through hold service 57 43 func (r *RoutingRepository) Blobs(ctx context.Context) distribution.BlobStore { 58 58 - r.mu.Lock() 59 59 - // Return cached blob store if available 60 60 - if r.blobStore != nil { 61 61 - blobStore := r.blobStore 62 62 - r.mu.Unlock() 63 63 - slog.Debug("Returning cached blob store", "component", "storage/blobs", "did", r.Ctx.DID, "repo", r.Ctx.Repository) 64 64 - return blobStore 65 65 - } 66 66 - 67 67 - // Determine if this is a pull (GET) or push (PUT/POST/HEAD/etc) operation 68 68 - // Pull operations use the historical hold DID from the database (blobs are where they were pushed) 69 69 - // Push operations use the discovery-based hold DID from user's profile/default 70 70 - // This allows users to change their default hold and have new pushes go there 71 71 - isPull := false 72 72 - if method, ok := ctx.Value("http.request.method").(string); ok { 73 73 - isPull = method == "GET" 74 74 - } 75 75 - 76 76 - holdDID := r.Ctx.HoldDID // Default to discovery-based DID 77 77 - holdSource := "discovery" 78 78 - 79 79 - // Only query database for pull operations 80 80 - if isPull && r.Ctx.Database != nil { 81 81 - // Query database for the latest manifest's hold DID 82 82 - if dbHoldDID, err := r.Ctx.Database.GetLatestHoldDIDForRepo(r.Ctx.DID, r.Ctx.Repository); err == nil && dbHoldDID != "" { 83 83 - // Use hold DID from database (pull case - use historical reference) 84 84 - holdDID = dbHoldDID 85 85 - holdSource = "database" 86 86 - slog.Debug("Using hold from database manifest (pull)", "component", "storage/blobs", "did", r.Ctx.DID, "repo", r.Ctx.Repository, "hold", dbHoldDID) 87 87 - } else if err != nil { 88 88 - // Log error but don't fail - fall back to discovery-based DID 89 89 - slog.Warn("Failed to query database for hold DID", "component", "storage/blobs", "error", err) 90 90 - } 91 91 - // If dbHoldDID is empty (no manifests yet), fall through to use discovery-based DID 44 44 + // Resolve hold DID: pull uses DB lookup, push uses profile discovery 45 45 + holdDID, err := r.userCtx.ResolveHoldDID(ctx, r.sqlDB) 46 46 + if err != nil { 47 47 + slog.Warn("Failed to resolve hold DID", "component", "storage/blobs", "error", err) 48 48 + holdDID = r.userCtx.TargetHoldDID 92 49 } 93 50 94 51 if holdDID == "" { 95 95 - // This should never happen if middleware is configured correctly 96 96 - panic("hold DID not set in RegistryContext - ensure default_hold_did is configured in middleware") 52 52 + panic("hold DID not set - ensure default_hold_did is configured in middleware") 97 53 } 98 54 99 99 - slog.Debug("Using hold DID for blobs", "component", "storage/blobs", "did", r.Ctx.DID, "repo", r.Ctx.Repository, "hold", holdDID, "source", holdSource) 100 100 - 101 101 - // Update context with the correct hold DID (may be from database or discovered) 102 102 - r.Ctx.HoldDID = holdDID 55 55 + slog.Debug("Using hold DID for blobs", "component", "storage/blobs", "did", r.userCtx.TargetOwnerDID, "repo", r.userCtx.TargetRepo, "hold", holdDID, "action", r.userCtx.Action.String()) 103 56 104 104 - // Create and cache proxy blob store 105 105 - r.blobStore = NewProxyBlobStore(r.Ctx) 106 106 - blobStore := r.blobStore 107 107 - r.mu.Unlock() 108 108 - return blobStore 57 57 + return NewProxyBlobStore(r.userCtx) 109 58 } 110 59 111 60 // Tags returns the tag service 112 61 // Tags are stored in ATProto as io.atcr.tag records 113 62 func (r *RoutingRepository) Tags(ctx context.Context) distribution.TagService { 114 114 - return NewTagStore(r.Ctx.ATProtoClient, r.Ctx.Repository) 63 63 + return NewTagStore(r.userCtx.GetATProtoClient(), r.userCtx.TargetRepo) 64 64 + } 65 65 + 66 66 + // Named returns a reference to the repository name. 67 67 + // If the base repository is set, it delegates to the base. 68 68 + // Otherwise, it constructs a name from the user context. 69 69 + func (r *RoutingRepository) Named() reference.Named { 70 70 + if r.Repository != nil { 71 71 + return r.Repository.Named() 72 72 + } 73 73 + // Construct from user context 74 74 + name, err := reference.WithName(r.userCtx.TargetRepo) 75 75 + if err != nil { 76 76 + // Fallback: return a simple reference 77 77 + name, _ = reference.WithName("unknown") 78 78 + } 79 79 + return name 115 80 }

+179 -301

pkg/appview/storage/routing_repository_test.go

··· 2 2 3 3 import ( 4 4 "context" 5 5 - "sync" 6 5 "testing" 7 6 8 8 - "github.com/distribution/distribution/v3" 9 7 "github.com/stretchr/testify/assert" 10 8 "github.com/stretchr/testify/require" 11 9 12 10 "atcr.io/pkg/atproto" 11 11 + "atcr.io/pkg/auth" 13 12 ) 14 13 15 15 - // mockDatabase is a simple mock for testing 16 16 - type mockDatabase struct { 17 17 - holdDID string 18 18 - err error 19 19 - } 14 14 + // mockUserContext creates a mock auth.UserContext for testing. 15 15 + // It sets up both the user identity and target info, and configures 16 16 + // test helpers to bypass network calls. 17 17 + func mockUserContext(did, authMethod, httpMethod, targetOwnerDID, targetOwnerHandle, targetOwnerPDS, targetRepo, targetHoldDID string) *auth.UserContext { 18 18 + userCtx := auth.NewUserContext(did, authMethod, httpMethod, nil) 19 19 + userCtx.SetTarget(targetOwnerDID, targetOwnerHandle, targetOwnerPDS, targetRepo, targetHoldDID) 20 20 21 21 - func (m *mockDatabase) IncrementPullCount(did, repository string) error { 22 22 - return nil 23 23 - } 21 21 + // Bypass PDS resolution (avoids network calls) 22 22 + userCtx.SetPDSForTest(targetOwnerHandle, targetOwnerPDS) 23 23 + 24 24 + // Set up mock authorizer that allows access 25 25 + userCtx.SetAuthorizerForTest(auth.NewMockHoldAuthorizer()) 26 26 + 27 27 + // Set default hold DID for push resolution 28 28 + userCtx.SetDefaultHoldDIDForTest(targetHoldDID) 24 29 25 25 - func (m *mockDatabase) IncrementPushCount(did, repository string) error { 26 26 - return nil 30 30 + return userCtx 27 31 } 28 32 29 29 - func (m *mockDatabase) GetLatestHoldDIDForRepo(did, repository string) (string, error) { 30 30 - if m.err != nil { 31 31 - return "", m.err 32 32 - } 33 33 - return m.holdDID, nil 33 33 + // mockUserContextWithToken creates a mock UserContext with a pre-populated service token. 34 34 + func mockUserContextWithToken(did, authMethod, httpMethod, targetOwnerDID, targetOwnerHandle, targetOwnerPDS, targetRepo, targetHoldDID, serviceToken string) *auth.UserContext { 35 35 + userCtx := mockUserContext(did, authMethod, httpMethod, targetOwnerDID, targetOwnerHandle, targetOwnerPDS, targetRepo, targetHoldDID) 36 36 + userCtx.SetServiceTokenForTest(targetHoldDID, serviceToken) 37 37 + return userCtx 34 38 } 35 39 36 40 func TestNewRoutingRepository(t *testing.T) { 37 37 - ctx := &RegistryContext{ 38 38 - DID: "did:plc:test123", 39 39 - Repository: "debian", 40 40 - HoldDID: "did:web:hold01.atcr.io", 41 41 - ATProtoClient: &atproto.Client{}, 42 42 - } 43 43 - 44 44 - repo := NewRoutingRepository(nil, ctx) 41 41 + userCtx := mockUserContext( 42 42 + "did:plc:test123", // authenticated user 43 43 + "oauth", // auth method 44 44 + "GET", // HTTP method 45 45 + "did:plc:test123", // target owner 46 46 + "test.handle", // target owner handle 47 47 + "https://pds.example.com", // target owner PDS 48 48 + "debian", // repository 49 49 + "did:web:hold01.atcr.io", // hold DID 50 50 + ) 45 51 46 46 - if repo.Ctx.DID != "did:plc:test123" { 47 47 - t.Errorf("Expected DID %q, got %q", "did:plc:test123", repo.Ctx.DID) 48 48 - } 52 52 + repo := NewRoutingRepository(nil, userCtx, nil) 49 53 50 50 - if repo.Ctx.Repository != "debian" { 51 51 - t.Errorf("Expected repository %q, got %q", "debian", repo.Ctx.Repository) 54 54 + if repo.userCtx.TargetOwnerDID != "did:plc:test123" { 55 55 + t.Errorf("Expected TargetOwnerDID %q, got %q", "did:plc:test123", repo.userCtx.TargetOwnerDID) 52 56 } 53 57 54 54 - if repo.manifestStore != nil { 55 55 - t.Error("Expected manifestStore to be nil initially") 58 58 + if repo.userCtx.TargetRepo != "debian" { 59 59 + t.Errorf("Expected TargetRepo %q, got %q", "debian", repo.userCtx.TargetRepo) 56 60 } 57 61 58 58 - if repo.blobStore != nil { 59 59 - t.Error("Expected blobStore to be nil initially") 62 62 + if repo.userCtx.TargetHoldDID != "did:web:hold01.atcr.io" { 63 63 + t.Errorf("Expected TargetHoldDID %q, got %q", "did:web:hold01.atcr.io", repo.userCtx.TargetHoldDID) 60 64 } 61 65 } 62 66 63 67 // TestRoutingRepository_Manifests tests the Manifests() method 64 68 func TestRoutingRepository_Manifests(t *testing.T) { 65 65 - ctx := &RegistryContext{ 66 66 - DID: "did:plc:test123", 67 67 - Repository: "myapp", 68 68 - HoldDID: "did:web:hold01.atcr.io", 69 69 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 70 70 - } 69 69 + userCtx := mockUserContext( 70 70 + "did:plc:test123", 71 71 + "oauth", 72 72 + "GET", 73 73 + "did:plc:test123", 74 74 + "test.handle", 75 75 + "https://pds.example.com", 76 76 + "myapp", 77 77 + "did:web:hold01.atcr.io", 78 78 + ) 71 79 72 72 - repo := NewRoutingRepository(nil, ctx) 80 80 + repo := NewRoutingRepository(nil, userCtx, nil) 73 81 manifestService, err := repo.Manifests(context.Background()) 74 82 75 83 require.NoError(t, err) 76 84 assert.NotNil(t, manifestService) 77 77 - 78 78 - // Verify the manifest store is cached 79 79 - assert.NotNil(t, repo.manifestStore, "manifest store should be cached") 80 80 - 81 81 - // Call again and verify we get the same instance 82 82 - manifestService2, err := repo.Manifests(context.Background()) 83 83 - require.NoError(t, err) 84 84 - assert.Same(t, manifestService, manifestService2, "should return cached manifest store") 85 85 } 86 86 87 87 - // TestRoutingRepository_ManifestStoreCaching tests that manifest store is cached 88 88 - func TestRoutingRepository_ManifestStoreCaching(t *testing.T) { 89 89 - ctx := &RegistryContext{ 90 90 - DID: "did:plc:test123", 91 91 - Repository: "myapp", 92 92 - HoldDID: "did:web:hold01.atcr.io", 93 93 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 94 94 - } 95 95 - 96 96 - repo := NewRoutingRepository(nil, ctx) 97 97 - 98 98 - // First call creates the store 99 99 - store1, err := repo.Manifests(context.Background()) 100 100 - require.NoError(t, err) 101 101 - assert.NotNil(t, store1) 102 102 - 103 103 - // Second call returns cached store 104 104 - store2, err := repo.Manifests(context.Background()) 105 105 - require.NoError(t, err) 106 106 - assert.Same(t, store1, store2, "should return cached manifest store instance") 107 107 - 108 108 - // Verify internal cache 109 109 - assert.NotNil(t, repo.manifestStore) 110 110 - } 111 111 - 112 112 - // TestRoutingRepository_Blobs_PullUsesDatabase tests that GET (pull) uses database hold DID 113 113 - func TestRoutingRepository_Blobs_PullUsesDatabase(t *testing.T) { 114 114 - dbHoldDID := "did:web:database.hold.io" 115 115 - discoveryHoldDID := "did:web:discovery.hold.io" 116 116 - 117 117 - ctx := &RegistryContext{ 118 118 - DID: "did:plc:test123", 119 119 - Repository: "myapp", 120 120 - HoldDID: discoveryHoldDID, // Discovery-based hold (should be overridden for pull) 121 121 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 122 122 - Database: &mockDatabase{holdDID: dbHoldDID}, 123 123 - } 124 124 - 125 125 - repo := NewRoutingRepository(nil, ctx) 126 126 - 127 127 - // Create context with GET method (pull operation) 128 128 - pullCtx := context.WithValue(context.Background(), "http.request.method", "GET") 129 129 - blobStore := repo.Blobs(pullCtx) 130 130 - 131 131 - assert.NotNil(t, blobStore) 132 132 - // Verify the hold DID was updated to use the database value for pull 133 133 - assert.Equal(t, dbHoldDID, repo.Ctx.HoldDID, "pull (GET) should use database hold DID") 134 134 - } 135 135 - 136 136 - // TestRoutingRepository_Blobs_PushUsesDiscovery tests that push operations use discovery hold DID 137 137 - func TestRoutingRepository_Blobs_PushUsesDiscovery(t *testing.T) { 138 138 - dbHoldDID := "did:web:database.hold.io" 139 139 - discoveryHoldDID := "did:web:discovery.hold.io" 140 140 - 141 141 - testCases := []struct { 142 142 - name string 143 143 - method string 144 144 - }{ 145 145 - {"PUT", "PUT"}, 146 146 - {"POST", "POST"}, 147 147 - {"HEAD", "HEAD"}, 148 148 - {"PATCH", "PATCH"}, 149 149 - {"DELETE", "DELETE"}, 150 150 - } 151 151 - 152 152 - for _, tc := range testCases { 153 153 - t.Run(tc.name, func(t *testing.T) { 154 154 - ctx := &RegistryContext{ 155 155 - DID: "did:plc:test123", 156 156 - Repository: "myapp-" + tc.method, // Unique repo to avoid caching 157 157 - HoldDID: discoveryHoldDID, 158 158 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 159 159 - Database: &mockDatabase{holdDID: dbHoldDID}, 160 160 - } 161 161 - 162 162 - repo := NewRoutingRepository(nil, ctx) 163 163 - 164 164 - // Create context with push method 165 165 - pushCtx := context.WithValue(context.Background(), "http.request.method", tc.method) 166 166 - blobStore := repo.Blobs(pushCtx) 167 167 - 168 168 - assert.NotNil(t, blobStore) 169 169 - // Verify the hold DID remains the discovery-based one for push operations 170 170 - assert.Equal(t, discoveryHoldDID, repo.Ctx.HoldDID, "%s should use discovery hold DID, not database", tc.method) 171 171 - }) 172 172 - } 173 173 - } 174 174 - 175 175 - // TestRoutingRepository_Blobs_NoMethodUsesDiscovery tests that missing method defaults to discovery 176 176 - func TestRoutingRepository_Blobs_NoMethodUsesDiscovery(t *testing.T) { 177 177 - dbHoldDID := "did:web:database.hold.io" 178 178 - discoveryHoldDID := "did:web:discovery.hold.io" 179 179 - 180 180 - ctx := &RegistryContext{ 181 181 - DID: "did:plc:test123", 182 182 - Repository: "myapp-nomethod", 183 183 - HoldDID: discoveryHoldDID, 184 184 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 185 185 - Database: &mockDatabase{holdDID: dbHoldDID}, 186 186 - } 187 187 - 188 188 - repo := NewRoutingRepository(nil, ctx) 189 189 - 190 190 - // Context without HTTP method (shouldn't happen in practice, but test defensive behavior) 191 191 - blobStore := repo.Blobs(context.Background()) 192 192 - 193 193 - assert.NotNil(t, blobStore) 194 194 - // Without method, should default to discovery (safer for push scenarios) 195 195 - assert.Equal(t, discoveryHoldDID, repo.Ctx.HoldDID, "missing method should use discovery hold DID") 196 196 - } 197 197 - 198 198 - // TestRoutingRepository_Blobs_WithoutDatabase tests blob store with discovery-based hold 199 199 - func TestRoutingRepository_Blobs_WithoutDatabase(t *testing.T) { 200 200 - discoveryHoldDID := "did:web:discovery.hold.io" 201 201 - 202 202 - ctx := &RegistryContext{ 203 203 - DID: "did:plc:nocache456", 204 204 - Repository: "uncached-app", 205 205 - HoldDID: discoveryHoldDID, 206 206 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:nocache456", ""), 207 207 - Database: nil, // No database 208 208 - } 209 209 - 210 210 - repo := NewRoutingRepository(nil, ctx) 211 211 - blobStore := repo.Blobs(context.Background()) 212 212 - 213 213 - assert.NotNil(t, blobStore) 214 214 - // Verify the hold DID remains the discovery-based one 215 215 - assert.Equal(t, discoveryHoldDID, repo.Ctx.HoldDID, "should use discovery-based hold DID") 216 216 - } 217 217 - 218 218 - // TestRoutingRepository_Blobs_DatabaseEmptyFallback tests fallback when database returns empty hold DID 219 219 - func TestRoutingRepository_Blobs_DatabaseEmptyFallback(t *testing.T) { 220 220 - discoveryHoldDID := "did:web:discovery.hold.io" 221 221 - 222 222 - ctx := &RegistryContext{ 223 223 - DID: "did:plc:test123", 224 224 - Repository: "newapp", 225 225 - HoldDID: discoveryHoldDID, 226 226 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 227 227 - Database: &mockDatabase{holdDID: ""}, // Empty string (no manifests yet) 228 228 - } 87 87 + // TestRoutingRepository_Blobs tests the Blobs() method 88 88 + func TestRoutingRepository_Blobs(t *testing.T) { 89 89 + userCtx := mockUserContext( 90 90 + "did:plc:test123", 91 91 + "oauth", 92 92 + "GET", 93 93 + "did:plc:test123", 94 94 + "test.handle", 95 95 + "https://pds.example.com", 96 96 + "myapp", 97 97 + "did:web:hold01.atcr.io", 98 98 + ) 229 99 230 230 - repo := NewRoutingRepository(nil, ctx) 100 100 + repo := NewRoutingRepository(nil, userCtx, nil) 231 101 blobStore := repo.Blobs(context.Background()) 232 102 233 103 assert.NotNil(t, blobStore) 234 234 - // Verify the hold DID falls back to discovery-based 235 235 - assert.Equal(t, discoveryHoldDID, repo.Ctx.HoldDID, "should fall back to discovery-based hold DID when database returns empty") 236 236 - } 237 237 - 238 238 - // TestRoutingRepository_BlobStoreCaching tests that blob store is cached 239 239 - func TestRoutingRepository_BlobStoreCaching(t *testing.T) { 240 240 - ctx := &RegistryContext{ 241 241 - DID: "did:plc:test123", 242 242 - Repository: "myapp", 243 243 - HoldDID: "did:web:hold01.atcr.io", 244 244 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 245 245 - } 246 246 - 247 247 - repo := NewRoutingRepository(nil, ctx) 248 248 - 249 249 - // First call creates the store 250 250 - store1 := repo.Blobs(context.Background()) 251 251 - assert.NotNil(t, store1) 252 252 - 253 253 - // Second call returns cached store 254 254 - store2 := repo.Blobs(context.Background()) 255 255 - assert.Same(t, store1, store2, "should return cached blob store instance") 256 256 - 257 257 - // Verify internal cache 258 258 - assert.NotNil(t, repo.blobStore) 259 104 } 260 105 261 106 // TestRoutingRepository_Blobs_PanicOnEmptyHoldDID tests panic when hold DID is empty 262 107 func TestRoutingRepository_Blobs_PanicOnEmptyHoldDID(t *testing.T) { 263 263 - // Use a unique DID/repo to ensure no cache entry exists 264 264 - ctx := &RegistryContext{ 265 265 - DID: "did:plc:emptyholdtest999", 266 266 - Repository: "empty-hold-app", 267 267 - HoldDID: "", // Empty hold DID should panic 268 268 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:emptyholdtest999", ""), 269 269 - } 108 108 + // Create context without default hold and empty target hold 109 109 + userCtx := auth.NewUserContext("did:plc:emptyholdtest999", "oauth", "GET", nil) 110 110 + userCtx.SetTarget("did:plc:emptyholdtest999", "test.handle", "https://pds.example.com", "empty-hold-app", "") 111 111 + userCtx.SetPDSForTest("test.handle", "https://pds.example.com") 112 112 + userCtx.SetAuthorizerForTest(auth.NewMockHoldAuthorizer()) 113 113 + // Intentionally NOT setting default hold DID 270 114 271 271 - repo := NewRoutingRepository(nil, ctx) 115 115 + repo := NewRoutingRepository(nil, userCtx, nil) 272 116 273 117 // Should panic with empty hold DID 274 118 assert.Panics(t, func() { ··· 278 122 279 123 // TestRoutingRepository_Tags tests the Tags() method 280 124 func TestRoutingRepository_Tags(t *testing.T) { 281 281 - ctx := &RegistryContext{ 282 282 - DID: "did:plc:test123", 283 283 - Repository: "myapp", 284 284 - HoldDID: "did:web:hold01.atcr.io", 285 285 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 286 286 - } 125 125 + userCtx := mockUserContext( 126 126 + "did:plc:test123", 127 127 + "oauth", 128 128 + "GET", 129 129 + "did:plc:test123", 130 130 + "test.handle", 131 131 + "https://pds.example.com", 132 132 + "myapp", 133 133 + "did:web:hold01.atcr.io", 134 134 + ) 287 135 288 288 - repo := NewRoutingRepository(nil, ctx) 136 136 + repo := NewRoutingRepository(nil, userCtx, nil) 289 137 tagService := repo.Tags(context.Background()) 290 138 291 139 assert.NotNil(t, tagService) 292 140 293 293 - // Call again and verify we get a new instance (Tags() doesn't cache) 141 141 + // Call again and verify we get a fresh instance (no caching) 294 142 tagService2 := repo.Tags(context.Background()) 295 143 assert.NotNil(t, tagService2) 296 296 - // Tags service is not cached, so each call creates a new instance 297 144 } 298 145 299 299 - // TestRoutingRepository_ConcurrentAccess tests concurrent access to cached stores 300 300 - func TestRoutingRepository_ConcurrentAccess(t *testing.T) { 301 301 - ctx := &RegistryContext{ 302 302 - DID: "did:plc:test123", 303 303 - Repository: "myapp", 304 304 - HoldDID: "did:web:hold01.atcr.io", 305 305 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 146 146 + // TestRoutingRepository_UserContext tests that UserContext fields are properly set 147 147 + func TestRoutingRepository_UserContext(t *testing.T) { 148 148 + testCases := []struct { 149 149 + name string 150 150 + httpMethod string 151 151 + expectedAction auth.RequestAction 152 152 + }{ 153 153 + {"GET request is pull", "GET", auth.ActionPull}, 154 154 + {"HEAD request is pull", "HEAD", auth.ActionPull}, 155 155 + {"PUT request is push", "PUT", auth.ActionPush}, 156 156 + {"POST request is push", "POST", auth.ActionPush}, 157 157 + {"DELETE request is push", "DELETE", auth.ActionPush}, 306 158 } 307 159 308 308 - repo := NewRoutingRepository(nil, ctx) 309 309 - 310 310 - var wg sync.WaitGroup 311 311 - numGoroutines := 10 160 160 + for _, tc := range testCases { 161 161 + t.Run(tc.name, func(t *testing.T) { 162 162 + userCtx := mockUserContext( 163 163 + "did:plc:test123", 164 164 + "oauth", 165 165 + tc.httpMethod, 166 166 + "did:plc:test123", 167 167 + "test.handle", 168 168 + "https://pds.example.com", 169 169 + "myapp", 170 170 + "did:web:hold01.atcr.io", 171 171 + ) 312 172 313 313 - // Track all manifest stores returned 314 314 - manifestStores := make([]distribution.ManifestService, numGoroutines) 315 315 - blobStores := make([]distribution.BlobStore, numGoroutines) 173 173 + repo := NewRoutingRepository(nil, userCtx, nil) 316 174 317 317 - // Concurrent access to Manifests() 318 318 - for i := 0; i < numGoroutines; i++ { 319 319 - wg.Add(1) 320 320 - go func(index int) { 321 321 - defer wg.Done() 322 322 - store, err := repo.Manifests(context.Background()) 323 323 - require.NoError(t, err) 324 324 - manifestStores[index] = store 325 325 - }(i) 175 175 + assert.Equal(t, tc.expectedAction, repo.userCtx.Action, "action should match HTTP method") 176 176 + }) 326 177 } 178 178 + } 327 179 328 328 - wg.Wait() 329 329 - 330 330 - // Verify all stores are non-nil (due to race conditions, they may not all be the same instance) 331 331 - for i := 0; i < numGoroutines; i++ { 332 332 - assert.NotNil(t, manifestStores[i], "manifest store should not be nil") 180 180 + // TestRoutingRepository_DifferentHoldDIDs tests routing with different hold DIDs 181 181 + func TestRoutingRepository_DifferentHoldDIDs(t *testing.T) { 182 182 + testCases := []struct { 183 183 + name string 184 184 + holdDID string 185 185 + }{ 186 186 + {"did:web hold", "did:web:hold01.atcr.io"}, 187 187 + {"did:web with port", "did:web:localhost:8080"}, 188 188 + {"did:plc hold", "did:plc:xyz123"}, 333 189 } 334 190 335 335 - // After concurrent creation, subsequent calls should return the cached instance 336 336 - cachedStore, err := repo.Manifests(context.Background()) 337 337 - require.NoError(t, err) 338 338 - assert.NotNil(t, cachedStore) 339 339 - 340 340 - // Concurrent access to Blobs() 341 341 - for i := 0; i < numGoroutines; i++ { 342 342 - wg.Add(1) 343 343 - go func(index int) { 344 344 - defer wg.Done() 345 345 - blobStores[index] = repo.Blobs(context.Background()) 346 346 - }(i) 347 347 - } 191 191 + for _, tc := range testCases { 192 192 + t.Run(tc.name, func(t *testing.T) { 193 193 + userCtx := mockUserContext( 194 194 + "did:plc:test123", 195 195 + "oauth", 196 196 + "PUT", 197 197 + "did:plc:test123", 198 198 + "test.handle", 199 199 + "https://pds.example.com", 200 200 + "myapp", 201 201 + tc.holdDID, 202 202 + ) 348 203 349 349 - wg.Wait() 204 204 + repo := NewRoutingRepository(nil, userCtx, nil) 205 205 + blobStore := repo.Blobs(context.Background()) 350 206 351 351 - // Verify all stores are non-nil (due to race conditions, they may not all be the same instance) 352 352 - for i := 0; i < numGoroutines; i++ { 353 353 - assert.NotNil(t, blobStores[i], "blob store should not be nil") 207 207 + assert.NotNil(t, blobStore, "should create blob store for %s", tc.holdDID) 208 208 + }) 354 209 } 355 355 - 356 356 - // After concurrent creation, subsequent calls should return the cached instance 357 357 - cachedBlobStore := repo.Blobs(context.Background()) 358 358 - assert.NotNil(t, cachedBlobStore) 359 210 } 360 211 361 361 - // TestRoutingRepository_Blobs_PullPriority tests that database hold DID takes priority for pull (GET) 362 362 - func TestRoutingRepository_Blobs_PullPriority(t *testing.T) { 363 363 - dbHoldDID := "did:web:database.hold.io" 364 364 - discoveryHoldDID := "did:web:discovery.hold.io" 212 212 + // TestRoutingRepository_Named tests the Named() method 213 213 + func TestRoutingRepository_Named(t *testing.T) { 214 214 + userCtx := mockUserContext( 215 215 + "did:plc:test123", 216 216 + "oauth", 217 217 + "GET", 218 218 + "did:plc:test123", 219 219 + "test.handle", 220 220 + "https://pds.example.com", 221 221 + "myapp", 222 222 + "did:web:hold01.atcr.io", 223 223 + ) 365 224 366 366 - ctx := &RegistryContext{ 367 367 - DID: "did:plc:test123", 368 368 - Repository: "myapp-priority", 369 369 - HoldDID: discoveryHoldDID, // Discovery-based hold 370 370 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 371 371 - Database: &mockDatabase{holdDID: dbHoldDID}, // Database has a different hold DID 372 372 - } 225 225 + repo := NewRoutingRepository(nil, userCtx, nil) 373 226 374 374 - repo := NewRoutingRepository(nil, ctx) 227 227 + // Named() returns a reference.Named from the base repository 228 228 + // Since baseRepo is nil, this tests our implementation handles that case 229 229 + named := repo.Named() 375 230 376 376 - // For pull (GET), database should take priority 377 377 - pullCtx := context.WithValue(context.Background(), "http.request.method", "GET") 378 378 - blobStore := repo.Blobs(pullCtx) 231 231 + // With nil base, Named() should return a name constructed from context 232 232 + assert.NotNil(t, named) 233 233 + assert.Contains(t, named.Name(), "myapp") 234 234 + } 379 235 380 380 - assert.NotNil(t, blobStore) 381 381 - // Database hold DID should take priority over discovery for pull operations 382 382 - assert.Equal(t, dbHoldDID, repo.Ctx.HoldDID, "database hold DID should take priority over discovery for pull (GET)") 236 236 + // TestATProtoResolveHoldURL tests DID to URL resolution 237 237 + func TestATProtoResolveHoldURL(t *testing.T) { 238 238 + tests := []struct { 239 239 + name string 240 240 + holdDID string 241 241 + expected string 242 242 + }{ 243 243 + { 244 244 + name: "did:web simple domain", 245 245 + holdDID: "did:web:hold01.atcr.io", 246 246 + expected: "https://hold01.atcr.io", 247 247 + }, 248 248 + { 249 249 + name: "did:web with port (localhost)", 250 250 + holdDID: "did:web:localhost:8080", 251 251 + expected: "http://localhost:8080", 252 252 + }, 253 253 + } 254 254 + 255 255 + for _, tt := range tests { 256 256 + t.Run(tt.name, func(t *testing.T) { 257 257 + result := atproto.ResolveHoldURL(tt.holdDID) 258 258 + assert.Equal(t, tt.expected, result) 259 259 + }) 260 260 + } 383 261 }

+3 -3

pkg/appview/storage/tag_store.go

··· 36 36 return distribution.Descriptor{}, distribution.ErrTagUnknown{Tag: tag} 37 37 } 38 38 39 39 - var tagRecord atproto.Tag 39 39 + var tagRecord atproto.TagRecord 40 40 if err := json.Unmarshal(record.Value, &tagRecord); err != nil { 41 41 return distribution.Descriptor{}, fmt.Errorf("failed to unmarshal tag record: %w", err) 42 42 } ··· 91 91 92 92 var tags []string 93 93 for _, record := range records { 94 94 - var tagRecord atproto.Tag 94 94 + var tagRecord atproto.TagRecord 95 95 if err := json.Unmarshal(record.Value, &tagRecord); err != nil { 96 96 // Skip invalid records 97 97 continue ··· 116 116 117 117 var tags []string 118 118 for _, record := range records { 119 119 - var tagRecord atproto.Tag 119 119 + var tagRecord atproto.TagRecord 120 120 if err := json.Unmarshal(record.Value, &tagRecord); err != nil { 121 121 // Skip invalid records 122 122 continue

+6 -6

pkg/appview/storage/tag_store_test.go

··· 229 229 230 230 for _, tt := range tests { 231 231 t.Run(tt.name, func(t *testing.T) { 232 232 - var sentTagRecord *atproto.Tag 232 232 + var sentTagRecord *atproto.TagRecord 233 233 234 234 server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 235 235 if r.Method != "POST" { ··· 254 254 // Parse and verify tag record 255 255 recordData := body["record"].(map[string]any) 256 256 recordBytes, _ := json.Marshal(recordData) 257 257 - var tagRecord atproto.Tag 257 257 + var tagRecord atproto.TagRecord 258 258 json.Unmarshal(recordBytes, &tagRecord) 259 259 sentTagRecord = &tagRecord 260 260 ··· 284 284 285 285 if !tt.wantErr && sentTagRecord != nil { 286 286 // Verify the tag record 287 287 - if sentTagRecord.LexiconTypeID != atproto.TagCollection { 288 288 - t.Errorf("LexiconTypeID = %v, want %v", sentTagRecord.LexiconTypeID, atproto.TagCollection) 287 287 + if sentTagRecord.Type != atproto.TagCollection { 288 288 + t.Errorf("Type = %v, want %v", sentTagRecord.Type, atproto.TagCollection) 289 289 } 290 290 if sentTagRecord.Repository != "myapp" { 291 291 t.Errorf("Repository = %v, want myapp", sentTagRecord.Repository) ··· 295 295 } 296 296 // New records should have manifest field 297 297 expectedURI := atproto.BuildManifestURI("did:plc:test123", tt.digest.String()) 298 298 - if sentTagRecord.Manifest == nil || *sentTagRecord.Manifest != expectedURI { 298 298 + if sentTagRecord.Manifest != expectedURI { 299 299 t.Errorf("Manifest = %v, want %v", sentTagRecord.Manifest, expectedURI) 300 300 } 301 301 // New records should NOT have manifestDigest field 302 302 - if sentTagRecord.ManifestDigest != nil && *sentTagRecord.ManifestDigest != "" { 302 302 + if sentTagRecord.ManifestDigest != "" { 303 303 t.Errorf("ManifestDigest should be empty for new records, got %v", sentTagRecord.ManifestDigest) 304 304 } 305 305 }

+22

pkg/appview/templates/pages/404.html

··· 1 1 + {{ define "404" }} 2 2 + <!DOCTYPE html> 3 3 + <html lang="en"> 4 4 + <head> 5 5 + <title>404 - Lost at Sea | ATCR</title> 6 6 + {{ template "head" . }} 7 7 + </head> 8 8 + <body> 9 9 + {{ template "nav-simple" . }} 10 10 + <main class="error-page"> 11 11 + <div class="error-content"> 12 12 + <i data-lucide="anchor" class="error-icon"></i> 13 13 + <div class="error-code">404</div> 14 14 + <h1>Lost at Sea</h1> 15 15 + <p>The page you're looking for has drifted into uncharted waters.</p> 16 16 + <a href="/" class="btn btn-primary">Return to Port</a> 17 17 + </div> 18 18 + </main> 19 19 + <script>lucide.createIcons();</script> 20 20 + </body> 21 21 + </html> 22 22 + {{ end }}

+17 -5

pkg/appview/templates/pages/repository.html

··· 27 27 <!-- Repository Header --> 28 28 <div class="repository-header"> 29 29 <div class="repo-hero"> 30 30 - {{ if .Repository.IconURL }} 31 31 - <img src="{{ .Repository.IconURL }}" alt="{{ .Repository.Name }}" class="repo-hero-icon"> 32 32 - {{ else }} 33 33 - <div class="repo-hero-icon-placeholder">{{ firstChar .Repository.Name }}</div> 34 34 - {{ end }} 30 30 + <div class="repo-hero-icon-wrapper"> 31 31 + {{ if .Repository.IconURL }} 32 32 + <img src="{{ .Repository.IconURL }}" alt="{{ .Repository.Name }}" class="repo-hero-icon"> 33 33 + {{ else }} 34 34 + <div class="repo-hero-icon-placeholder">{{ firstChar .Repository.Name }}</div> 35 35 + {{ end }} 36 36 + {{ if $.IsOwner }} 37 37 + <label class="avatar-upload-overlay" for="avatar-upload"> 38 38 + <i data-lucide="plus"></i> 39 39 + </label> 40 40 + <input type="file" id="avatar-upload" accept="image/png,image/jpeg,image/webp" 41 41 + onchange="uploadAvatar(this, '{{ .Repository.Name }}')" hidden> 42 42 + {{ end }} 43 43 + </div> 35 44 <div class="repo-hero-info"> 36 45 <h1> 37 46 <a href="/u/{{ .Owner.Handle }}" class="owner-link">{{ .Owner.Handle }}</a> ··· 129 138 <span class="tag-name-large">{{ .Tag.Tag }}</span> 130 139 {{ if .IsMultiArch }} 131 140 <span class="badge-multi">Multi-arch</span> 141 141 + {{ end }} 142 142 + {{ if .HasAttestations }} 143 143 + <span class="badge-attestation"><i data-lucide="shield-check"></i> Attestations</span> 132 144 {{ end }} 133 145 </div> 134 146 <div style="display: flex; gap: 1rem; align-items: center;">

-9

pkg/appview/templates/partials/push-list.html

··· 44 44 </div> 45 45 {{ end }} 46 46 47 47 - {{ if .HasMore }} 48 48 - <button class="load-more" 49 49 - hx-get="/api/recent-pushes?offset={{ .NextOffset }}" 50 50 - hx-target="#push-list" 51 51 - hx-swap="beforeend"> 52 52 - Load More 53 53 - </button> 54 54 - {{ end }} 55 55 - 56 47 {{ if eq (len .Pushes) 0 }} 57 48 <div class="empty-state"> 58 49 <p>No pushes yet. Start using ATCR by pushing your first image!</p>

-65

pkg/appview/utils_test.go

··· 1 1 - package appview 2 2 - 3 3 - import ( 4 4 - "testing" 5 5 - 6 6 - "atcr.io/pkg/atproto" 7 7 - ) 8 8 - 9 9 - func TestResolveHoldURL(t *testing.T) { 10 10 - tests := []struct { 11 11 - name string 12 12 - input string 13 13 - expected string 14 14 - }{ 15 15 - { 16 16 - name: "DID with HTTPS domain", 17 17 - input: "did:web:hold.example.com", 18 18 - expected: "https://hold.example.com", 19 19 - }, 20 20 - { 21 21 - name: "DID with HTTP and port (IP)", 22 22 - input: "did:web:172.28.0.3:8080", 23 23 - expected: "http://172.28.0.3:8080", 24 24 - }, 25 25 - { 26 26 - name: "DID with HTTP and port (localhost)", 27 27 - input: "did:web:127.0.0.1:8080", 28 28 - expected: "http://127.0.0.1:8080", 29 29 - }, 30 30 - { 31 31 - name: "DID with localhost", 32 32 - input: "did:web:localhost:8080", 33 33 - expected: "http://localhost:8080", 34 34 - }, 35 35 - { 36 36 - name: "Already HTTPS URL (passthrough)", 37 37 - input: "https://hold.example.com", 38 38 - expected: "https://hold.example.com", 39 39 - }, 40 40 - { 41 41 - name: "Already HTTP URL (passthrough)", 42 42 - input: "http://172.28.0.3:8080", 43 43 - expected: "http://172.28.0.3:8080", 44 44 - }, 45 45 - { 46 46 - name: "Plain hostname (fallback to HTTPS)", 47 47 - input: "hold.example.com", 48 48 - expected: "https://hold.example.com", 49 49 - }, 50 50 - { 51 51 - name: "DID with subdomain", 52 52 - input: "did:web:hold01.atcr.io", 53 53 - expected: "https://hold01.atcr.io", 54 54 - }, 55 55 - } 56 56 - 57 57 - for _, tt := range tests { 58 58 - t.Run(tt.name, func(t *testing.T) { 59 59 - result := atproto.ResolveHoldURL(tt.input) 60 60 - if result != tt.expected { 61 61 - t.Errorf("ResolveHoldURL(%q) = %q, want %q", tt.input, result, tt.expected) 62 62 - } 63 63 - }) 64 64 - } 65 65 - }

+126 -2958

pkg/atproto/cbor_gen.go

··· 8 8 "math" 9 9 "sort" 10 10 11 11 - util "github.com/bluesky-social/indigo/lex/util" 12 11 cid "github.com/ipfs/go-cid" 13 12 cbg "github.com/whyrusleeping/cbor-gen" 14 13 xerrors "golang.org/x/xerrors" ··· 19 18 var _ = math.E 20 19 var _ = sort.Sort 21 20 22 22 - func (t *Manifest) MarshalCBOR(w io.Writer) error { 21 21 + func (t *CrewRecord) MarshalCBOR(w io.Writer) error { 23 22 if t == nil { 24 23 _, err := w.Write(cbg.CborNull) 25 24 return err 26 25 } 27 26 28 27 cw := cbg.NewCborWriter(w) 29 29 - fieldCount := 14 30 28 31 31 - if t.Annotations == nil { 32 32 - fieldCount-- 33 33 - } 34 34 - 35 35 - if t.Config == nil { 36 36 - fieldCount-- 37 37 - } 38 38 - 39 39 - if t.HoldDid == nil { 40 40 - fieldCount-- 41 41 - } 42 42 - 43 43 - if t.HoldEndpoint == nil { 44 44 - fieldCount-- 45 45 - } 46 46 - 47 47 - if t.Layers == nil { 48 48 - fieldCount-- 49 49 - } 50 50 - 51 51 - if t.ManifestBlob == nil { 52 52 - fieldCount-- 53 53 - } 54 54 - 55 55 - if t.Manifests == nil { 56 56 - fieldCount-- 57 57 - } 58 58 - 59 59 - if t.Subject == nil { 60 60 - fieldCount-- 61 61 - } 62 62 - 63 63 - if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil { 29 29 + if _, err := cw.Write([]byte{165}); err != nil { 64 30 return err 65 31 } 66 32 67 67 - // t.LexiconTypeID (string) (string) 68 68 - if len("$type") > 8192 { 69 69 - return xerrors.Errorf("Value in field \"$type\" was too long") 70 70 - } 71 71 - 72 72 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 73 73 - return err 74 74 - } 75 75 - if _, err := cw.WriteString(string("$type")); err != nil { 76 76 - return err 77 77 - } 78 78 - 79 79 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.manifest"))); err != nil { 80 80 - return err 81 81 - } 82 82 - if _, err := cw.WriteString(string("io.atcr.manifest")); err != nil { 83 83 - return err 84 84 - } 85 85 - 86 86 - // t.Config (atproto.Manifest_BlobReference) (struct) 87 87 - if t.Config != nil { 88 88 - 89 89 - if len("config") > 8192 { 90 90 - return xerrors.Errorf("Value in field \"config\" was too long") 91 91 - } 92 92 - 93 93 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("config"))); err != nil { 94 94 - return err 95 95 - } 96 96 - if _, err := cw.WriteString(string("config")); err != nil { 97 97 - return err 98 98 - } 99 99 - 100 100 - if err := t.Config.MarshalCBOR(cw); err != nil { 101 101 - return err 102 102 - } 103 103 - } 104 104 - 105 105 - // t.Digest (string) (string) 106 106 - if len("digest") > 8192 { 107 107 - return xerrors.Errorf("Value in field \"digest\" was too long") 108 108 - } 109 109 - 110 110 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("digest"))); err != nil { 111 111 - return err 112 112 - } 113 113 - if _, err := cw.WriteString(string("digest")); err != nil { 114 114 - return err 115 115 - } 116 116 - 117 117 - if len(t.Digest) > 8192 { 118 118 - return xerrors.Errorf("Value in field t.Digest was too long") 119 119 - } 120 120 - 121 121 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Digest))); err != nil { 122 122 - return err 123 123 - } 124 124 - if _, err := cw.WriteString(string(t.Digest)); err != nil { 125 125 - return err 126 126 - } 127 127 - 128 128 - // t.Layers ([]atproto.Manifest_BlobReference) (slice) 129 129 - if t.Layers != nil { 130 130 - 131 131 - if len("layers") > 8192 { 132 132 - return xerrors.Errorf("Value in field \"layers\" was too long") 133 133 - } 134 134 - 135 135 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("layers"))); err != nil { 136 136 - return err 137 137 - } 138 138 - if _, err := cw.WriteString(string("layers")); err != nil { 139 139 - return err 140 140 - } 141 141 - 142 142 - if len(t.Layers) > 8192 { 143 143 - return xerrors.Errorf("Slice value in field t.Layers was too long") 144 144 - } 145 145 - 146 146 - if err := cw.WriteMajorTypeHeader(cbg.MajArray, uint64(len(t.Layers))); err != nil { 147 147 - return err 148 148 - } 149 149 - for _, v := range t.Layers { 150 150 - if err := v.MarshalCBOR(cw); err != nil { 151 151 - return err 152 152 - } 153 153 - 154 154 - } 155 155 - } 156 156 - 157 157 - // t.HoldDid (string) (string) 158 158 - if t.HoldDid != nil { 159 159 - 160 160 - if len("holdDid") > 8192 { 161 161 - return xerrors.Errorf("Value in field \"holdDid\" was too long") 162 162 - } 163 163 - 164 164 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("holdDid"))); err != nil { 165 165 - return err 166 166 - } 167 167 - if _, err := cw.WriteString(string("holdDid")); err != nil { 168 168 - return err 169 169 - } 170 170 - 171 171 - if t.HoldDid == nil { 172 172 - if _, err := cw.Write(cbg.CborNull); err != nil { 173 173 - return err 174 174 - } 175 175 - } else { 176 176 - if len(*t.HoldDid) > 8192 { 177 177 - return xerrors.Errorf("Value in field t.HoldDid was too long") 178 178 - } 179 179 - 180 180 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.HoldDid))); err != nil { 181 181 - return err 182 182 - } 183 183 - if _, err := cw.WriteString(string(*t.HoldDid)); err != nil { 184 184 - return err 185 185 - } 186 186 - } 187 187 - } 188 188 - 189 189 - // t.Subject (atproto.Manifest_BlobReference) (struct) 190 190 - if t.Subject != nil { 191 191 - 192 192 - if len("subject") > 8192 { 193 193 - return xerrors.Errorf("Value in field \"subject\" was too long") 194 194 - } 195 195 - 196 196 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("subject"))); err != nil { 197 197 - return err 198 198 - } 199 199 - if _, err := cw.WriteString(string("subject")); err != nil { 200 200 - return err 201 201 - } 202 202 - 203 203 - if err := t.Subject.MarshalCBOR(cw); err != nil { 204 204 - return err 205 205 - } 206 206 - } 207 207 - 208 208 - // t.CreatedAt (string) (string) 209 209 - if len("createdAt") > 8192 { 210 210 - return xerrors.Errorf("Value in field \"createdAt\" was too long") 211 211 - } 212 212 - 213 213 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("createdAt"))); err != nil { 214 214 - return err 215 215 - } 216 216 - if _, err := cw.WriteString(string("createdAt")); err != nil { 217 217 - return err 218 218 - } 219 219 - 220 220 - if len(t.CreatedAt) > 8192 { 221 221 - return xerrors.Errorf("Value in field t.CreatedAt was too long") 33 33 + // t.Role (string) (string) 34 34 + if len("role") > 8192 { 35 35 + return xerrors.Errorf("Value in field \"role\" was too long") 222 36 } 223 37 224 224 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.CreatedAt))); err != nil { 38 38 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("role"))); err != nil { 225 39 return err 226 40 } 227 227 - if _, err := cw.WriteString(string(t.CreatedAt)); err != nil { 41 41 + if _, err := cw.WriteString(string("role")); err != nil { 228 42 return err 229 43 } 230 44 231 231 - // t.Manifests ([]atproto.Manifest_ManifestReference) (slice) 232 232 - if t.Manifests != nil { 233 233 - 234 234 - if len("manifests") > 8192 { 235 235 - return xerrors.Errorf("Value in field \"manifests\" was too long") 236 236 - } 237 237 - 238 238 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("manifests"))); err != nil { 239 239 - return err 240 240 - } 241 241 - if _, err := cw.WriteString(string("manifests")); err != nil { 242 242 - return err 243 243 - } 244 244 - 245 245 - if len(t.Manifests) > 8192 { 246 246 - return xerrors.Errorf("Slice value in field t.Manifests was too long") 247 247 - } 248 248 - 249 249 - if err := cw.WriteMajorTypeHeader(cbg.MajArray, uint64(len(t.Manifests))); err != nil { 250 250 - return err 251 251 - } 252 252 - for _, v := range t.Manifests { 253 253 - if err := v.MarshalCBOR(cw); err != nil { 254 254 - return err 255 255 - } 256 256 - 257 257 - } 45 45 + if len(t.Role) > 8192 { 46 46 + return xerrors.Errorf("Value in field t.Role was too long") 258 47 } 259 48 260 260 - // t.MediaType (string) (string) 261 261 - if len("mediaType") > 8192 { 262 262 - return xerrors.Errorf("Value in field \"mediaType\" was too long") 263 263 - } 264 264 - 265 265 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("mediaType"))); err != nil { 49 49 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Role))); err != nil { 266 50 return err 267 51 } 268 268 - if _, err := cw.WriteString(string("mediaType")); err != nil { 52 52 + if _, err := cw.WriteString(string(t.Role)); err != nil { 269 53 return err 270 54 } 271 55 272 272 - if len(t.MediaType) > 8192 { 273 273 - return xerrors.Errorf("Value in field t.MediaType was too long") 56 56 + // t.Type (string) (string) 57 57 + if len("$type") > 8192 { 58 58 + return xerrors.Errorf("Value in field \"$type\" was too long") 274 59 } 275 60 276 276 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.MediaType))); err != nil { 61 61 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 277 62 return err 278 63 } 279 279 - if _, err := cw.WriteString(string(t.MediaType)); err != nil { 64 64 + if _, err := cw.WriteString(string("$type")); err != nil { 280 65 return err 281 66 } 282 67 283 283 - // t.Repository (string) (string) 284 284 - if len("repository") > 8192 { 285 285 - return xerrors.Errorf("Value in field \"repository\" was too long") 68 68 + if len(t.Type) > 8192 { 69 69 + return xerrors.Errorf("Value in field t.Type was too long") 286 70 } 287 71 288 288 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("repository"))); err != nil { 72 72 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Type))); err != nil { 289 73 return err 290 74 } 291 291 - if _, err := cw.WriteString(string("repository")); err != nil { 75 75 + if _, err := cw.WriteString(string(t.Type)); err != nil { 292 76 return err 293 77 } 294 78 295 295 - if len(t.Repository) > 8192 { 296 296 - return xerrors.Errorf("Value in field t.Repository was too long") 79 79 + // t.Member (string) (string) 80 80 + if len("member") > 8192 { 81 81 + return xerrors.Errorf("Value in field \"member\" was too long") 297 82 } 298 83 299 299 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Repository))); err != nil { 84 84 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("member"))); err != nil { 300 85 return err 301 86 } 302 302 - if _, err := cw.WriteString(string(t.Repository)); err != nil { 87 87 + if _, err := cw.WriteString(string("member")); err != nil { 303 88 return err 304 89 } 305 90 306 306 - // t.Annotations (atproto.Manifest_Annotations) (struct) 307 307 - if t.Annotations != nil { 308 308 - 309 309 - if len("annotations") > 8192 { 310 310 - return xerrors.Errorf("Value in field \"annotations\" was too long") 311 311 - } 312 312 - 313 313 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("annotations"))); err != nil { 314 314 - return err 315 315 - } 316 316 - if _, err := cw.WriteString(string("annotations")); err != nil { 317 317 - return err 318 318 - } 319 319 - 320 320 - if err := t.Annotations.MarshalCBOR(cw); err != nil { 321 321 - return err 322 322 - } 91 91 + if len(t.Member) > 8192 { 92 92 + return xerrors.Errorf("Value in field t.Member was too long") 323 93 } 324 94 325 325 - // t.HoldEndpoint (string) (string) 326 326 - if t.HoldEndpoint != nil { 327 327 - 328 328 - if len("holdEndpoint") > 8192 { 329 329 - return xerrors.Errorf("Value in field \"holdEndpoint\" was too long") 330 330 - } 331 331 - 332 332 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("holdEndpoint"))); err != nil { 333 333 - return err 334 334 - } 335 335 - if _, err := cw.WriteString(string("holdEndpoint")); err != nil { 336 336 - return err 337 337 - } 338 338 - 339 339 - if t.HoldEndpoint == nil { 340 340 - if _, err := cw.Write(cbg.CborNull); err != nil { 341 341 - return err 342 342 - } 343 343 - } else { 344 344 - if len(*t.HoldEndpoint) > 8192 { 345 345 - return xerrors.Errorf("Value in field t.HoldEndpoint was too long") 346 346 - } 347 347 - 348 348 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.HoldEndpoint))); err != nil { 349 349 - return err 350 350 - } 351 351 - if _, err := cw.WriteString(string(*t.HoldEndpoint)); err != nil { 352 352 - return err 353 353 - } 354 354 - } 355 355 - } 356 356 - 357 357 - // t.ManifestBlob (util.LexBlob) (struct) 358 358 - if t.ManifestBlob != nil { 359 359 - 360 360 - if len("manifestBlob") > 8192 { 361 361 - return xerrors.Errorf("Value in field \"manifestBlob\" was too long") 362 362 - } 363 363 - 364 364 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("manifestBlob"))); err != nil { 365 365 - return err 366 366 - } 367 367 - if _, err := cw.WriteString(string("manifestBlob")); err != nil { 368 368 - return err 369 369 - } 370 370 - 371 371 - if err := t.ManifestBlob.MarshalCBOR(cw); err != nil { 372 372 - return err 373 373 - } 374 374 - } 375 375 - 376 376 - // t.SchemaVersion (int64) (int64) 377 377 - if len("schemaVersion") > 8192 { 378 378 - return xerrors.Errorf("Value in field \"schemaVersion\" was too long") 379 379 - } 380 380 - 381 381 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("schemaVersion"))); err != nil { 95 95 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Member))); err != nil { 382 96 return err 383 97 } 384 384 - if _, err := cw.WriteString(string("schemaVersion")); err != nil { 385 385 - return err 386 386 - } 387 387 - 388 388 - if t.SchemaVersion >= 0 { 389 389 - if err := cw.WriteMajorTypeHeader(cbg.MajUnsignedInt, uint64(t.SchemaVersion)); err != nil { 390 390 - return err 391 391 - } 392 392 - } else { 393 393 - if err := cw.WriteMajorTypeHeader(cbg.MajNegativeInt, uint64(-t.SchemaVersion-1)); err != nil { 394 394 - return err 395 395 - } 396 396 - } 397 397 - 398 398 - return nil 399 399 - } 400 400 - 401 401 - func (t *Manifest) UnmarshalCBOR(r io.Reader) (err error) { 402 402 - *t = Manifest{} 403 403 - 404 404 - cr := cbg.NewCborReader(r) 405 405 - 406 406 - maj, extra, err := cr.ReadHeader() 407 407 - if err != nil { 98 98 + if _, err := cw.WriteString(string(t.Member)); err != nil { 408 99 return err 409 100 } 410 410 - defer func() { 411 411 - if err == io.EOF { 412 412 - err = io.ErrUnexpectedEOF 413 413 - } 414 414 - }() 415 101 416 416 - if maj != cbg.MajMap { 417 417 - return fmt.Errorf("cbor input should be of type map") 418 418 - } 419 419 - 420 420 - if extra > cbg.MaxLength { 421 421 - return fmt.Errorf("Manifest: map struct too large (%d)", extra) 422 422 - } 423 423 - 424 424 - n := extra 425 425 - 426 426 - nameBuf := make([]byte, 13) 427 427 - for i := uint64(0); i < n; i++ { 428 428 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 429 429 - if err != nil { 430 430 - return err 431 431 - } 432 432 - 433 433 - if !ok { 434 434 - // Field doesn't exist on this type, so ignore it 435 435 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 436 436 - return err 437 437 - } 438 438 - continue 439 439 - } 440 440 - 441 441 - switch string(nameBuf[:nameLen]) { 442 442 - // t.LexiconTypeID (string) (string) 443 443 - case "$type": 444 444 - 445 445 - { 446 446 - sval, err := cbg.ReadStringWithMax(cr, 8192) 447 447 - if err != nil { 448 448 - return err 449 449 - } 450 450 - 451 451 - t.LexiconTypeID = string(sval) 452 452 - } 453 453 - // t.Config (atproto.Manifest_BlobReference) (struct) 454 454 - case "config": 455 455 - 456 456 - { 457 457 - 458 458 - b, err := cr.ReadByte() 459 459 - if err != nil { 460 460 - return err 461 461 - } 462 462 - if b != cbg.CborNull[0] { 463 463 - if err := cr.UnreadByte(); err != nil { 464 464 - return err 465 465 - } 466 466 - t.Config = new(Manifest_BlobReference) 467 467 - if err := t.Config.UnmarshalCBOR(cr); err != nil { 468 468 - return xerrors.Errorf("unmarshaling t.Config pointer: %w", err) 469 469 - } 470 470 - } 471 471 - 472 472 - } 473 473 - // t.Digest (string) (string) 474 474 - case "digest": 475 475 - 476 476 - { 477 477 - sval, err := cbg.ReadStringWithMax(cr, 8192) 478 478 - if err != nil { 479 479 - return err 480 480 - } 481 481 - 482 482 - t.Digest = string(sval) 483 483 - } 484 484 - // t.Layers ([]atproto.Manifest_BlobReference) (slice) 485 485 - case "layers": 486 486 - 487 487 - maj, extra, err = cr.ReadHeader() 488 488 - if err != nil { 489 489 - return err 490 490 - } 491 491 - 492 492 - if extra > 8192 { 493 493 - return fmt.Errorf("t.Layers: array too large (%d)", extra) 494 494 - } 495 495 - 496 496 - if maj != cbg.MajArray { 497 497 - return fmt.Errorf("expected cbor array") 498 498 - } 499 499 - 500 500 - if extra > 0 { 501 501 - t.Layers = make([]Manifest_BlobReference, extra) 502 502 - } 503 503 - 504 504 - for i := 0; i < int(extra); i++ { 505 505 - { 506 506 - var maj byte 507 507 - var extra uint64 508 508 - var err error 509 509 - _ = maj 510 510 - _ = extra 511 511 - _ = err 512 512 - 513 513 - { 514 514 - 515 515 - if err := t.Layers[i].UnmarshalCBOR(cr); err != nil { 516 516 - return xerrors.Errorf("unmarshaling t.Layers[i]: %w", err) 517 517 - } 518 518 - 519 519 - } 520 520 - 521 521 - } 522 522 - } 523 523 - // t.HoldDid (string) (string) 524 524 - case "holdDid": 525 525 - 526 526 - { 527 527 - b, err := cr.ReadByte() 528 528 - if err != nil { 529 529 - return err 530 530 - } 531 531 - if b != cbg.CborNull[0] { 532 532 - if err := cr.UnreadByte(); err != nil { 533 533 - return err 534 534 - } 535 535 - 536 536 - sval, err := cbg.ReadStringWithMax(cr, 8192) 537 537 - if err != nil { 538 538 - return err 539 539 - } 540 540 - 541 541 - t.HoldDid = (*string)(&sval) 542 542 - } 543 543 - } 544 544 - // t.Subject (atproto.Manifest_BlobReference) (struct) 545 545 - case "subject": 546 546 - 547 547 - { 548 548 - 549 549 - b, err := cr.ReadByte() 550 550 - if err != nil { 551 551 - return err 552 552 - } 553 553 - if b != cbg.CborNull[0] { 554 554 - if err := cr.UnreadByte(); err != nil { 555 555 - return err 556 556 - } 557 557 - t.Subject = new(Manifest_BlobReference) 558 558 - if err := t.Subject.UnmarshalCBOR(cr); err != nil { 559 559 - return xerrors.Errorf("unmarshaling t.Subject pointer: %w", err) 560 560 - } 561 561 - } 562 562 - 563 563 - } 564 564 - // t.CreatedAt (string) (string) 565 565 - case "createdAt": 566 566 - 567 567 - { 568 568 - sval, err := cbg.ReadStringWithMax(cr, 8192) 569 569 - if err != nil { 570 570 - return err 571 571 - } 572 572 - 573 573 - t.CreatedAt = string(sval) 574 574 - } 575 575 - // t.Manifests ([]atproto.Manifest_ManifestReference) (slice) 576 576 - case "manifests": 577 577 - 578 578 - maj, extra, err = cr.ReadHeader() 579 579 - if err != nil { 580 580 - return err 581 581 - } 582 582 - 583 583 - if extra > 8192 { 584 584 - return fmt.Errorf("t.Manifests: array too large (%d)", extra) 585 585 - } 586 586 - 587 587 - if maj != cbg.MajArray { 588 588 - return fmt.Errorf("expected cbor array") 589 589 - } 590 590 - 591 591 - if extra > 0 { 592 592 - t.Manifests = make([]Manifest_ManifestReference, extra) 593 593 - } 594 594 - 595 595 - for i := 0; i < int(extra); i++ { 596 596 - { 597 597 - var maj byte 598 598 - var extra uint64 599 599 - var err error 600 600 - _ = maj 601 601 - _ = extra 602 602 - _ = err 603 603 - 604 604 - { 605 605 - 606 606 - if err := t.Manifests[i].UnmarshalCBOR(cr); err != nil { 607 607 - return xerrors.Errorf("unmarshaling t.Manifests[i]: %w", err) 608 608 - } 609 609 - 610 610 - } 611 611 - 612 612 - } 613 613 - } 614 614 - // t.MediaType (string) (string) 615 615 - case "mediaType": 616 616 - 617 617 - { 618 618 - sval, err := cbg.ReadStringWithMax(cr, 8192) 619 619 - if err != nil { 620 620 - return err 621 621 - } 622 622 - 623 623 - t.MediaType = string(sval) 624 624 - } 625 625 - // t.Repository (string) (string) 626 626 - case "repository": 627 627 - 628 628 - { 629 629 - sval, err := cbg.ReadStringWithMax(cr, 8192) 630 630 - if err != nil { 631 631 - return err 632 632 - } 633 633 - 634 634 - t.Repository = string(sval) 635 635 - } 636 636 - // t.Annotations (atproto.Manifest_Annotations) (struct) 637 637 - case "annotations": 638 638 - 639 639 - { 640 640 - 641 641 - b, err := cr.ReadByte() 642 642 - if err != nil { 643 643 - return err 644 644 - } 645 645 - if b != cbg.CborNull[0] { 646 646 - if err := cr.UnreadByte(); err != nil { 647 647 - return err 648 648 - } 649 649 - t.Annotations = new(Manifest_Annotations) 650 650 - if err := t.Annotations.UnmarshalCBOR(cr); err != nil { 651 651 - return xerrors.Errorf("unmarshaling t.Annotations pointer: %w", err) 652 652 - } 653 653 - } 654 654 - 655 655 - } 656 656 - // t.HoldEndpoint (string) (string) 657 657 - case "holdEndpoint": 658 658 - 659 659 - { 660 660 - b, err := cr.ReadByte() 661 661 - if err != nil { 662 662 - return err 663 663 - } 664 664 - if b != cbg.CborNull[0] { 665 665 - if err := cr.UnreadByte(); err != nil { 666 666 - return err 667 667 - } 668 668 - 669 669 - sval, err := cbg.ReadStringWithMax(cr, 8192) 670 670 - if err != nil { 671 671 - return err 672 672 - } 673 673 - 674 674 - t.HoldEndpoint = (*string)(&sval) 675 675 - } 676 676 - } 677 677 - // t.ManifestBlob (util.LexBlob) (struct) 678 678 - case "manifestBlob": 679 679 - 680 680 - { 681 681 - 682 682 - b, err := cr.ReadByte() 683 683 - if err != nil { 684 684 - return err 685 685 - } 686 686 - if b != cbg.CborNull[0] { 687 687 - if err := cr.UnreadByte(); err != nil { 688 688 - return err 689 689 - } 690 690 - t.ManifestBlob = new(util.LexBlob) 691 691 - if err := t.ManifestBlob.UnmarshalCBOR(cr); err != nil { 692 692 - return xerrors.Errorf("unmarshaling t.ManifestBlob pointer: %w", err) 693 693 - } 694 694 - } 695 695 - 696 696 - } 697 697 - // t.SchemaVersion (int64) (int64) 698 698 - case "schemaVersion": 699 699 - { 700 700 - maj, extra, err := cr.ReadHeader() 701 701 - if err != nil { 702 702 - return err 703 703 - } 704 704 - var extraI int64 705 705 - switch maj { 706 706 - case cbg.MajUnsignedInt: 707 707 - extraI = int64(extra) 708 708 - if extraI < 0 { 709 709 - return fmt.Errorf("int64 positive overflow") 710 710 - } 711 711 - case cbg.MajNegativeInt: 712 712 - extraI = int64(extra) 713 713 - if extraI < 0 { 714 714 - return fmt.Errorf("int64 negative overflow") 715 715 - } 716 716 - extraI = -1 - extraI 717 717 - default: 718 718 - return fmt.Errorf("wrong type for int64 field: %d", maj) 719 719 - } 720 720 - 721 721 - t.SchemaVersion = int64(extraI) 722 722 - } 723 723 - 724 724 - default: 725 725 - // Field doesn't exist on this type, so ignore it 726 726 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 727 727 - return err 728 728 - } 729 729 - } 730 730 - } 731 731 - 732 732 - return nil 733 733 - } 734 734 - func (t *Manifest_BlobReference) MarshalCBOR(w io.Writer) error { 735 735 - if t == nil { 736 736 - _, err := w.Write(cbg.CborNull) 737 737 - return err 738 738 - } 739 739 - 740 740 - cw := cbg.NewCborWriter(w) 741 741 - fieldCount := 6 742 742 - 743 743 - if t.LexiconTypeID == "" { 744 744 - fieldCount-- 745 745 - } 746 746 - 747 747 - if t.Annotations == nil { 748 748 - fieldCount-- 749 749 - } 750 750 - 751 751 - if t.Urls == nil { 752 752 - fieldCount-- 753 753 - } 754 754 - 755 755 - if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil { 756 756 - return err 757 757 - } 758 758 - 759 759 - // t.Size (int64) (int64) 760 760 - if len("size") > 8192 { 761 761 - return xerrors.Errorf("Value in field \"size\" was too long") 762 762 - } 763 763 - 764 764 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("size"))); err != nil { 765 765 - return err 766 766 - } 767 767 - if _, err := cw.WriteString(string("size")); err != nil { 768 768 - return err 769 769 - } 770 770 - 771 771 - if t.Size >= 0 { 772 772 - if err := cw.WriteMajorTypeHeader(cbg.MajUnsignedInt, uint64(t.Size)); err != nil { 773 773 - return err 774 774 - } 775 775 - } else { 776 776 - if err := cw.WriteMajorTypeHeader(cbg.MajNegativeInt, uint64(-t.Size-1)); err != nil { 777 777 - return err 778 778 - } 779 779 - } 780 780 - 781 781 - // t.Urls ([]string) (slice) 782 782 - if t.Urls != nil { 783 783 - 784 784 - if len("urls") > 8192 { 785 785 - return xerrors.Errorf("Value in field \"urls\" was too long") 786 786 - } 787 787 - 788 788 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("urls"))); err != nil { 789 789 - return err 790 790 - } 791 791 - if _, err := cw.WriteString(string("urls")); err != nil { 792 792 - return err 793 793 - } 794 794 - 795 795 - if len(t.Urls) > 8192 { 796 796 - return xerrors.Errorf("Slice value in field t.Urls was too long") 797 797 - } 798 798 - 799 799 - if err := cw.WriteMajorTypeHeader(cbg.MajArray, uint64(len(t.Urls))); err != nil { 800 800 - return err 801 801 - } 802 802 - for _, v := range t.Urls { 803 803 - if len(v) > 8192 { 804 804 - return xerrors.Errorf("Value in field v was too long") 805 805 - } 806 806 - 807 807 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(v))); err != nil { 808 808 - return err 809 809 - } 810 810 - if _, err := cw.WriteString(string(v)); err != nil { 811 811 - return err 812 812 - } 813 813 - 814 814 - } 102 102 + // t.AddedAt (string) (string) 103 103 + if len("addedAt") > 8192 { 104 104 + return xerrors.Errorf("Value in field \"addedAt\" was too long") 815 105 } 816 106 817 817 - // t.LexiconTypeID (string) (string) 818 818 - if t.LexiconTypeID != "" { 819 819 - 820 820 - if len("$type") > 8192 { 821 821 - return xerrors.Errorf("Value in field \"$type\" was too long") 822 822 - } 823 823 - 824 824 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 825 825 - return err 826 826 - } 827 827 - if _, err := cw.WriteString(string("$type")); err != nil { 828 828 - return err 829 829 - } 830 830 - 831 831 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.manifest#blobReference"))); err != nil { 832 832 - return err 833 833 - } 834 834 - if _, err := cw.WriteString(string("io.atcr.manifest#blobReference")); err != nil { 835 835 - return err 836 836 - } 837 837 - } 838 838 - 839 839 - // t.Digest (string) (string) 840 840 - if len("digest") > 8192 { 841 841 - return xerrors.Errorf("Value in field \"digest\" was too long") 842 842 - } 843 843 - 844 844 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("digest"))); err != nil { 107 107 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("addedAt"))); err != nil { 845 108 return err 846 109 } 847 847 - if _, err := cw.WriteString(string("digest")); err != nil { 110 110 + if _, err := cw.WriteString(string("addedAt")); err != nil { 848 111 return err 849 112 } 850 113 851 851 - if len(t.Digest) > 8192 { 852 852 - return xerrors.Errorf("Value in field t.Digest was too long") 114 114 + if len(t.AddedAt) > 8192 { 115 115 + return xerrors.Errorf("Value in field t.AddedAt was too long") 853 116 } 854 117 855 855 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Digest))); err != nil { 118 118 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.AddedAt))); err != nil { 856 119 return err 857 120 } 858 858 - if _, err := cw.WriteString(string(t.Digest)); err != nil { 121 121 + if _, err := cw.WriteString(string(t.AddedAt)); err != nil { 859 122 return err 860 123 } 861 124 862 862 - // t.MediaType (string) (string) 863 863 - if len("mediaType") > 8192 { 864 864 - return xerrors.Errorf("Value in field \"mediaType\" was too long") 125 125 + // t.Permissions ([]string) (slice) 126 126 + if len("permissions") > 8192 { 127 127 + return xerrors.Errorf("Value in field \"permissions\" was too long") 865 128 } 866 129 867 867 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("mediaType"))); err != nil { 130 130 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("permissions"))); err != nil { 868 131 return err 869 132 } 870 870 - if _, err := cw.WriteString(string("mediaType")); err != nil { 133 133 + if _, err := cw.WriteString(string("permissions")); err != nil { 871 134 return err 872 135 } 873 136 874 874 - if len(t.MediaType) > 8192 { 875 875 - return xerrors.Errorf("Value in field t.MediaType was too long") 137 137 + if len(t.Permissions) > 8192 { 138 138 + return xerrors.Errorf("Slice value in field t.Permissions was too long") 876 139 } 877 140 878 878 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.MediaType))); err != nil { 879 879 - return err 880 880 - } 881 881 - if _, err := cw.WriteString(string(t.MediaType)); err != nil { 141 141 + if err := cw.WriteMajorTypeHeader(cbg.MajArray, uint64(len(t.Permissions))); err != nil { 882 142 return err 883 143 } 884 884 - 885 885 - // t.Annotations (atproto.Manifest_BlobReference_Annotations) (struct) 886 886 - if t.Annotations != nil { 887 887 - 888 888 - if len("annotations") > 8192 { 889 889 - return xerrors.Errorf("Value in field \"annotations\" was too long") 144 144 + for _, v := range t.Permissions { 145 145 + if len(v) > 8192 { 146 146 + return xerrors.Errorf("Value in field v was too long") 890 147 } 891 148 892 892 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("annotations"))); err != nil { 149 149 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(v))); err != nil { 893 150 return err 894 151 } 895 895 - if _, err := cw.WriteString(string("annotations")); err != nil { 152 152 + if _, err := cw.WriteString(string(v)); err != nil { 896 153 return err 897 154 } 898 155 899 899 - if err := t.Annotations.MarshalCBOR(cw); err != nil { 900 900 - return err 901 901 - } 902 156 } 903 157 return nil 904 158 } 905 159 906 906 - func (t *Manifest_BlobReference) UnmarshalCBOR(r io.Reader) (err error) { 907 907 - *t = Manifest_BlobReference{} 160 160 + func (t *CrewRecord) UnmarshalCBOR(r io.Reader) (err error) { 161 161 + *t = CrewRecord{} 908 162 909 163 cr := cbg.NewCborReader(r) 910 164 ··· 923 177 } 924 178 925 179 if extra > cbg.MaxLength { 926 926 - return fmt.Errorf("Manifest_BlobReference: map struct too large (%d)", extra) 180 180 + return fmt.Errorf("CrewRecord: map struct too large (%d)", extra) 927 181 } 928 182 929 183 n := extra ··· 944 198 } 945 199 946 200 switch string(nameBuf[:nameLen]) { 947 947 - // t.Size (int64) (int64) 948 948 - case "size": 949 949 - { 950 950 - maj, extra, err := cr.ReadHeader() 951 951 - if err != nil { 952 952 - return err 953 953 - } 954 954 - var extraI int64 955 955 - switch maj { 956 956 - case cbg.MajUnsignedInt: 957 957 - extraI = int64(extra) 958 958 - if extraI < 0 { 959 959 - return fmt.Errorf("int64 positive overflow") 960 960 - } 961 961 - case cbg.MajNegativeInt: 962 962 - extraI = int64(extra) 963 963 - if extraI < 0 { 964 964 - return fmt.Errorf("int64 negative overflow") 965 965 - } 966 966 - extraI = -1 - extraI 967 967 - default: 968 968 - return fmt.Errorf("wrong type for int64 field: %d", maj) 969 969 - } 970 970 - 971 971 - t.Size = int64(extraI) 972 972 - } 973 973 - // t.Urls ([]string) (slice) 974 974 - case "urls": 975 975 - 976 976 - maj, extra, err = cr.ReadHeader() 977 977 - if err != nil { 978 978 - return err 979 979 - } 980 980 - 981 981 - if extra > 8192 { 982 982 - return fmt.Errorf("t.Urls: array too large (%d)", extra) 983 983 - } 984 984 - 985 985 - if maj != cbg.MajArray { 986 986 - return fmt.Errorf("expected cbor array") 987 987 - } 988 988 - 989 989 - if extra > 0 { 990 990 - t.Urls = make([]string, extra) 991 991 - } 992 992 - 993 993 - for i := 0; i < int(extra); i++ { 994 994 - { 995 995 - var maj byte 996 996 - var extra uint64 997 997 - var err error 998 998 - _ = maj 999 999 - _ = extra 1000 1000 - _ = err 1001 1001 - 1002 1002 - { 1003 1003 - sval, err := cbg.ReadStringWithMax(cr, 8192) 1004 1004 - if err != nil { 1005 1005 - return err 1006 1006 - } 1007 1007 - 1008 1008 - t.Urls[i] = string(sval) 1009 1009 - } 1010 1010 - 1011 1011 - } 1012 1012 - } 1013 1013 - // t.LexiconTypeID (string) (string) 1014 1014 - case "$type": 201 201 + // t.Role (string) (string) 202 202 + case "role": 1015 203 1016 204 { 1017 205 sval, err := cbg.ReadStringWithMax(cr, 8192) ··· 1019 207 return err 1020 208 } 1021 209 1022 1022 - t.LexiconTypeID = string(sval) 1023 1023 - } 1024 1024 - // t.Digest (string) (string) 1025 1025 - case "digest": 1026 1026 - 1027 1027 - { 1028 1028 - sval, err := cbg.ReadStringWithMax(cr, 8192) 1029 1029 - if err != nil { 1030 1030 - return err 1031 1031 - } 1032 1032 - 1033 1033 - t.Digest = string(sval) 1034 1034 - } 1035 1035 - // t.MediaType (string) (string) 1036 1036 - case "mediaType": 1037 1037 - 1038 1038 - { 1039 1039 - sval, err := cbg.ReadStringWithMax(cr, 8192) 1040 1040 - if err != nil { 1041 1041 - return err 1042 1042 - } 1043 1043 - 1044 1044 - t.MediaType = string(sval) 1045 1045 - } 1046 1046 - // t.Annotations (atproto.Manifest_BlobReference_Annotations) (struct) 1047 1047 - case "annotations": 1048 1048 - 1049 1049 - { 1050 1050 - 1051 1051 - b, err := cr.ReadByte() 1052 1052 - if err != nil { 1053 1053 - return err 1054 1054 - } 1055 1055 - if b != cbg.CborNull[0] { 1056 1056 - if err := cr.UnreadByte(); err != nil { 1057 1057 - return err 1058 1058 - } 1059 1059 - t.Annotations = new(Manifest_BlobReference_Annotations) 1060 1060 - if err := t.Annotations.UnmarshalCBOR(cr); err != nil { 1061 1061 - return xerrors.Errorf("unmarshaling t.Annotations pointer: %w", err) 1062 1062 - } 1063 1063 - } 1064 1064 - 210 210 + t.Role = string(sval) 1065 211 } 1066 1066 - 1067 1067 - default: 1068 1068 - // Field doesn't exist on this type, so ignore it 1069 1069 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 1070 1070 - return err 1071 1071 - } 1072 1072 - } 1073 1073 - } 1074 1074 - 1075 1075 - return nil 1076 1076 - } 1077 1077 - func (t *Manifest_ManifestReference) MarshalCBOR(w io.Writer) error { 1078 1078 - if t == nil { 1079 1079 - _, err := w.Write(cbg.CborNull) 1080 1080 - return err 1081 1081 - } 1082 1082 - 1083 1083 - cw := cbg.NewCborWriter(w) 1084 1084 - fieldCount := 6 1085 1085 - 1086 1086 - if t.LexiconTypeID == "" { 1087 1087 - fieldCount-- 1088 1088 - } 1089 1089 - 1090 1090 - if t.Annotations == nil { 1091 1091 - fieldCount-- 1092 1092 - } 1093 1093 - 1094 1094 - if t.Platform == nil { 1095 1095 - fieldCount-- 1096 1096 - } 1097 1097 - 1098 1098 - if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil { 1099 1099 - return err 1100 1100 - } 1101 1101 - 1102 1102 - // t.Size (int64) (int64) 1103 1103 - if len("size") > 8192 { 1104 1104 - return xerrors.Errorf("Value in field \"size\" was too long") 1105 1105 - } 1106 1106 - 1107 1107 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("size"))); err != nil { 1108 1108 - return err 1109 1109 - } 1110 1110 - if _, err := cw.WriteString(string("size")); err != nil { 1111 1111 - return err 1112 1112 - } 1113 1113 - 1114 1114 - if t.Size >= 0 { 1115 1115 - if err := cw.WriteMajorTypeHeader(cbg.MajUnsignedInt, uint64(t.Size)); err != nil { 1116 1116 - return err 1117 1117 - } 1118 1118 - } else { 1119 1119 - if err := cw.WriteMajorTypeHeader(cbg.MajNegativeInt, uint64(-t.Size-1)); err != nil { 1120 1120 - return err 1121 1121 - } 1122 1122 - } 1123 1123 - 1124 1124 - // t.LexiconTypeID (string) (string) 1125 1125 - if t.LexiconTypeID != "" { 1126 1126 - 1127 1127 - if len("$type") > 8192 { 1128 1128 - return xerrors.Errorf("Value in field \"$type\" was too long") 1129 1129 - } 1130 1130 - 1131 1131 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 1132 1132 - return err 1133 1133 - } 1134 1134 - if _, err := cw.WriteString(string("$type")); err != nil { 1135 1135 - return err 1136 1136 - } 1137 1137 - 1138 1138 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.manifest#manifestReference"))); err != nil { 1139 1139 - return err 1140 1140 - } 1141 1141 - if _, err := cw.WriteString(string("io.atcr.manifest#manifestReference")); err != nil { 1142 1142 - return err 1143 1143 - } 1144 1144 - } 1145 1145 - 1146 1146 - // t.Digest (string) (string) 1147 1147 - if len("digest") > 8192 { 1148 1148 - return xerrors.Errorf("Value in field \"digest\" was too long") 1149 1149 - } 1150 1150 - 1151 1151 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("digest"))); err != nil { 1152 1152 - return err 1153 1153 - } 1154 1154 - if _, err := cw.WriteString(string("digest")); err != nil { 1155 1155 - return err 1156 1156 - } 1157 1157 - 1158 1158 - if len(t.Digest) > 8192 { 1159 1159 - return xerrors.Errorf("Value in field t.Digest was too long") 1160 1160 - } 1161 1161 - 1162 1162 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Digest))); err != nil { 1163 1163 - return err 1164 1164 - } 1165 1165 - if _, err := cw.WriteString(string(t.Digest)); err != nil { 1166 1166 - return err 1167 1167 - } 1168 1168 - 1169 1169 - // t.Platform (atproto.Manifest_Platform) (struct) 1170 1170 - if t.Platform != nil { 1171 1171 - 1172 1172 - if len("platform") > 8192 { 1173 1173 - return xerrors.Errorf("Value in field \"platform\" was too long") 1174 1174 - } 1175 1175 - 1176 1176 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("platform"))); err != nil { 1177 1177 - return err 1178 1178 - } 1179 1179 - if _, err := cw.WriteString(string("platform")); err != nil { 1180 1180 - return err 1181 1181 - } 1182 1182 - 1183 1183 - if err := t.Platform.MarshalCBOR(cw); err != nil { 1184 1184 - return err 1185 1185 - } 1186 1186 - } 1187 1187 - 1188 1188 - // t.MediaType (string) (string) 1189 1189 - if len("mediaType") > 8192 { 1190 1190 - return xerrors.Errorf("Value in field \"mediaType\" was too long") 1191 1191 - } 1192 1192 - 1193 1193 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("mediaType"))); err != nil { 1194 1194 - return err 1195 1195 - } 1196 1196 - if _, err := cw.WriteString(string("mediaType")); err != nil { 1197 1197 - return err 1198 1198 - } 1199 1199 - 1200 1200 - if len(t.MediaType) > 8192 { 1201 1201 - return xerrors.Errorf("Value in field t.MediaType was too long") 1202 1202 - } 1203 1203 - 1204 1204 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.MediaType))); err != nil { 1205 1205 - return err 1206 1206 - } 1207 1207 - if _, err := cw.WriteString(string(t.MediaType)); err != nil { 1208 1208 - return err 1209 1209 - } 1210 1210 - 1211 1211 - // t.Annotations (atproto.Manifest_ManifestReference_Annotations) (struct) 1212 1212 - if t.Annotations != nil { 1213 1213 - 1214 1214 - if len("annotations") > 8192 { 1215 1215 - return xerrors.Errorf("Value in field \"annotations\" was too long") 1216 1216 - } 1217 1217 - 1218 1218 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("annotations"))); err != nil { 1219 1219 - return err 1220 1220 - } 1221 1221 - if _, err := cw.WriteString(string("annotations")); err != nil { 1222 1222 - return err 1223 1223 - } 1224 1224 - 1225 1225 - if err := t.Annotations.MarshalCBOR(cw); err != nil { 1226 1226 - return err 1227 1227 - } 1228 1228 - } 1229 1229 - return nil 1230 1230 - } 1231 1231 - 1232 1232 - func (t *Manifest_ManifestReference) UnmarshalCBOR(r io.Reader) (err error) { 1233 1233 - *t = Manifest_ManifestReference{} 1234 1234 - 1235 1235 - cr := cbg.NewCborReader(r) 1236 1236 - 1237 1237 - maj, extra, err := cr.ReadHeader() 1238 1238 - if err != nil { 1239 1239 - return err 1240 1240 - } 1241 1241 - defer func() { 1242 1242 - if err == io.EOF { 1243 1243 - err = io.ErrUnexpectedEOF 1244 1244 - } 1245 1245 - }() 1246 1246 - 1247 1247 - if maj != cbg.MajMap { 1248 1248 - return fmt.Errorf("cbor input should be of type map") 1249 1249 - } 1250 1250 - 1251 1251 - if extra > cbg.MaxLength { 1252 1252 - return fmt.Errorf("Manifest_ManifestReference: map struct too large (%d)", extra) 1253 1253 - } 1254 1254 - 1255 1255 - n := extra 1256 1256 - 1257 1257 - nameBuf := make([]byte, 11) 1258 1258 - for i := uint64(0); i < n; i++ { 1259 1259 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 1260 1260 - if err != nil { 1261 1261 - return err 1262 1262 - } 1263 1263 - 1264 1264 - if !ok { 1265 1265 - // Field doesn't exist on this type, so ignore it 1266 1266 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 1267 1267 - return err 1268 1268 - } 1269 1269 - continue 1270 1270 - } 1271 1271 - 1272 1272 - switch string(nameBuf[:nameLen]) { 1273 1273 - // t.Size (int64) (int64) 1274 1274 - case "size": 1275 1275 - { 1276 1276 - maj, extra, err := cr.ReadHeader() 1277 1277 - if err != nil { 1278 1278 - return err 1279 1279 - } 1280 1280 - var extraI int64 1281 1281 - switch maj { 1282 1282 - case cbg.MajUnsignedInt: 1283 1283 - extraI = int64(extra) 1284 1284 - if extraI < 0 { 1285 1285 - return fmt.Errorf("int64 positive overflow") 1286 1286 - } 1287 1287 - case cbg.MajNegativeInt: 1288 1288 - extraI = int64(extra) 1289 1289 - if extraI < 0 { 1290 1290 - return fmt.Errorf("int64 negative overflow") 1291 1291 - } 1292 1292 - extraI = -1 - extraI 1293 1293 - default: 1294 1294 - return fmt.Errorf("wrong type for int64 field: %d", maj) 1295 1295 - } 1296 1296 - 1297 1297 - t.Size = int64(extraI) 1298 1298 - } 1299 1299 - // t.LexiconTypeID (string) (string) 212 212 + // t.Type (string) (string) 1300 213 case "$type": 1301 214 1302 215 { ··· 1305 218 return err 1306 219 } 1307 220 1308 1308 - t.LexiconTypeID = string(sval) 221 221 + t.Type = string(sval) 1309 222 } 1310 1310 - // t.Digest (string) (string) 1311 1311 - case "digest": 223 223 + // t.Member (string) (string) 224 224 + case "member": 1312 225 1313 226 { 1314 227 sval, err := cbg.ReadStringWithMax(cr, 8192) ··· 1316 229 return err 1317 230 } 1318 231 1319 1319 - t.Digest = string(sval) 1320 1320 - } 1321 1321 - // t.Platform (atproto.Manifest_Platform) (struct) 1322 1322 - case "platform": 1323 1323 - 1324 1324 - { 1325 1325 - 1326 1326 - b, err := cr.ReadByte() 1327 1327 - if err != nil { 1328 1328 - return err 1329 1329 - } 1330 1330 - if b != cbg.CborNull[0] { 1331 1331 - if err := cr.UnreadByte(); err != nil { 1332 1332 - return err 1333 1333 - } 1334 1334 - t.Platform = new(Manifest_Platform) 1335 1335 - if err := t.Platform.UnmarshalCBOR(cr); err != nil { 1336 1336 - return xerrors.Errorf("unmarshaling t.Platform pointer: %w", err) 1337 1337 - } 1338 1338 - } 1339 1339 - 232 232 + t.Member = string(sval) 1340 233 } 1341 1341 - // t.MediaType (string) (string) 1342 1342 - case "mediaType": 234 234 + // t.AddedAt (string) (string) 235 235 + case "addedAt": 1343 236 1344 237 { 1345 238 sval, err := cbg.ReadStringWithMax(cr, 8192) ··· 1347 240 return err 1348 241 } 1349 242 1350 1350 - t.MediaType = string(sval) 1351 1351 - } 1352 1352 - // t.Annotations (atproto.Manifest_ManifestReference_Annotations) (struct) 1353 1353 - case "annotations": 1354 1354 - 1355 1355 - { 1356 1356 - 1357 1357 - b, err := cr.ReadByte() 1358 1358 - if err != nil { 1359 1359 - return err 1360 1360 - } 1361 1361 - if b != cbg.CborNull[0] { 1362 1362 - if err := cr.UnreadByte(); err != nil { 1363 1363 - return err 1364 1364 - } 1365 1365 - t.Annotations = new(Manifest_ManifestReference_Annotations) 1366 1366 - if err := t.Annotations.UnmarshalCBOR(cr); err != nil { 1367 1367 - return xerrors.Errorf("unmarshaling t.Annotations pointer: %w", err) 1368 1368 - } 1369 1369 - } 1370 1370 - 1371 1371 - } 1372 1372 - 1373 1373 - default: 1374 1374 - // Field doesn't exist on this type, so ignore it 1375 1375 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 1376 1376 - return err 1377 1377 - } 1378 1378 - } 1379 1379 - } 1380 1380 - 1381 1381 - return nil 1382 1382 - } 1383 1383 - func (t *Manifest_Platform) MarshalCBOR(w io.Writer) error { 1384 1384 - if t == nil { 1385 1385 - _, err := w.Write(cbg.CborNull) 1386 1386 - return err 1387 1387 - } 1388 1388 - 1389 1389 - cw := cbg.NewCborWriter(w) 1390 1390 - fieldCount := 6 1391 1391 - 1392 1392 - if t.LexiconTypeID == "" { 1393 1393 - fieldCount-- 1394 1394 - } 1395 1395 - 1396 1396 - if t.OsFeatures == nil { 1397 1397 - fieldCount-- 1398 1398 - } 1399 1399 - 1400 1400 - if t.OsVersion == nil { 1401 1401 - fieldCount-- 1402 1402 - } 1403 1403 - 1404 1404 - if t.Variant == nil { 1405 1405 - fieldCount-- 1406 1406 - } 1407 1407 - 1408 1408 - if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil { 1409 1409 - return err 1410 1410 - } 1411 1411 - 1412 1412 - // t.Os (string) (string) 1413 1413 - if len("os") > 8192 { 1414 1414 - return xerrors.Errorf("Value in field \"os\" was too long") 1415 1415 - } 1416 1416 - 1417 1417 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("os"))); err != nil { 1418 1418 - return err 1419 1419 - } 1420 1420 - if _, err := cw.WriteString(string("os")); err != nil { 1421 1421 - return err 1422 1422 - } 1423 1423 - 1424 1424 - if len(t.Os) > 8192 { 1425 1425 - return xerrors.Errorf("Value in field t.Os was too long") 1426 1426 - } 1427 1427 - 1428 1428 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Os))); err != nil { 1429 1429 - return err 1430 1430 - } 1431 1431 - if _, err := cw.WriteString(string(t.Os)); err != nil { 1432 1432 - return err 1433 1433 - } 1434 1434 - 1435 1435 - // t.LexiconTypeID (string) (string) 1436 1436 - if t.LexiconTypeID != "" { 1437 1437 - 1438 1438 - if len("$type") > 8192 { 1439 1439 - return xerrors.Errorf("Value in field \"$type\" was too long") 1440 1440 - } 1441 1441 - 1442 1442 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 1443 1443 - return err 1444 1444 - } 1445 1445 - if _, err := cw.WriteString(string("$type")); err != nil { 1446 1446 - return err 1447 1447 - } 1448 1448 - 1449 1449 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.manifest#platform"))); err != nil { 1450 1450 - return err 1451 1451 - } 1452 1452 - if _, err := cw.WriteString(string("io.atcr.manifest#platform")); err != nil { 1453 1453 - return err 1454 1454 - } 1455 1455 - } 1456 1456 - 1457 1457 - // t.Variant (string) (string) 1458 1458 - if t.Variant != nil { 1459 1459 - 1460 1460 - if len("variant") > 8192 { 1461 1461 - return xerrors.Errorf("Value in field \"variant\" was too long") 1462 1462 - } 1463 1463 - 1464 1464 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("variant"))); err != nil { 1465 1465 - return err 1466 1466 - } 1467 1467 - if _, err := cw.WriteString(string("variant")); err != nil { 1468 1468 - return err 1469 1469 - } 1470 1470 - 1471 1471 - if t.Variant == nil { 1472 1472 - if _, err := cw.Write(cbg.CborNull); err != nil { 1473 1473 - return err 1474 1474 - } 1475 1475 - } else { 1476 1476 - if len(*t.Variant) > 8192 { 1477 1477 - return xerrors.Errorf("Value in field t.Variant was too long") 1478 1478 - } 1479 1479 - 1480 1480 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.Variant))); err != nil { 1481 1481 - return err 1482 1482 - } 1483 1483 - if _, err := cw.WriteString(string(*t.Variant)); err != nil { 1484 1484 - return err 1485 1485 - } 1486 1486 - } 1487 1487 - } 1488 1488 - 1489 1489 - // t.OsVersion (string) (string) 1490 1490 - if t.OsVersion != nil { 1491 1491 - 1492 1492 - if len("osVersion") > 8192 { 1493 1493 - return xerrors.Errorf("Value in field \"osVersion\" was too long") 1494 1494 - } 1495 1495 - 1496 1496 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("osVersion"))); err != nil { 1497 1497 - return err 1498 1498 - } 1499 1499 - if _, err := cw.WriteString(string("osVersion")); err != nil { 1500 1500 - return err 1501 1501 - } 1502 1502 - 1503 1503 - if t.OsVersion == nil { 1504 1504 - if _, err := cw.Write(cbg.CborNull); err != nil { 1505 1505 - return err 1506 1506 - } 1507 1507 - } else { 1508 1508 - if len(*t.OsVersion) > 8192 { 1509 1509 - return xerrors.Errorf("Value in field t.OsVersion was too long") 1510 1510 - } 1511 1511 - 1512 1512 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.OsVersion))); err != nil { 1513 1513 - return err 1514 1514 - } 1515 1515 - if _, err := cw.WriteString(string(*t.OsVersion)); err != nil { 1516 1516 - return err 1517 1517 - } 1518 1518 - } 1519 1519 - } 1520 1520 - 1521 1521 - // t.OsFeatures ([]string) (slice) 1522 1522 - if t.OsFeatures != nil { 1523 1523 - 1524 1524 - if len("osFeatures") > 8192 { 1525 1525 - return xerrors.Errorf("Value in field \"osFeatures\" was too long") 1526 1526 - } 1527 1527 - 1528 1528 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("osFeatures"))); err != nil { 1529 1529 - return err 1530 1530 - } 1531 1531 - if _, err := cw.WriteString(string("osFeatures")); err != nil { 1532 1532 - return err 1533 1533 - } 1534 1534 - 1535 1535 - if len(t.OsFeatures) > 8192 { 1536 1536 - return xerrors.Errorf("Slice value in field t.OsFeatures was too long") 1537 1537 - } 1538 1538 - 1539 1539 - if err := cw.WriteMajorTypeHeader(cbg.MajArray, uint64(len(t.OsFeatures))); err != nil { 1540 1540 - return err 1541 1541 - } 1542 1542 - for _, v := range t.OsFeatures { 1543 1543 - if len(v) > 8192 { 1544 1544 - return xerrors.Errorf("Value in field v was too long") 1545 1545 - } 1546 1546 - 1547 1547 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(v))); err != nil { 1548 1548 - return err 1549 1549 - } 1550 1550 - if _, err := cw.WriteString(string(v)); err != nil { 1551 1551 - return err 1552 1552 - } 1553 1553 - 1554 1554 - } 1555 1555 - } 1556 1556 - 1557 1557 - // t.Architecture (string) (string) 1558 1558 - if len("architecture") > 8192 { 1559 1559 - return xerrors.Errorf("Value in field \"architecture\" was too long") 1560 1560 - } 1561 1561 - 1562 1562 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("architecture"))); err != nil { 1563 1563 - return err 1564 1564 - } 1565 1565 - if _, err := cw.WriteString(string("architecture")); err != nil { 1566 1566 - return err 1567 1567 - } 1568 1568 - 1569 1569 - if len(t.Architecture) > 8192 { 1570 1570 - return xerrors.Errorf("Value in field t.Architecture was too long") 1571 1571 - } 1572 1572 - 1573 1573 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Architecture))); err != nil { 1574 1574 - return err 1575 1575 - } 1576 1576 - if _, err := cw.WriteString(string(t.Architecture)); err != nil { 1577 1577 - return err 1578 1578 - } 1579 1579 - return nil 1580 1580 - } 1581 1581 - 1582 1582 - func (t *Manifest_Platform) UnmarshalCBOR(r io.Reader) (err error) { 1583 1583 - *t = Manifest_Platform{} 1584 1584 - 1585 1585 - cr := cbg.NewCborReader(r) 1586 1586 - 1587 1587 - maj, extra, err := cr.ReadHeader() 1588 1588 - if err != nil { 1589 1589 - return err 1590 1590 - } 1591 1591 - defer func() { 1592 1592 - if err == io.EOF { 1593 1593 - err = io.ErrUnexpectedEOF 1594 1594 - } 1595 1595 - }() 1596 1596 - 1597 1597 - if maj != cbg.MajMap { 1598 1598 - return fmt.Errorf("cbor input should be of type map") 1599 1599 - } 1600 1600 - 1601 1601 - if extra > cbg.MaxLength { 1602 1602 - return fmt.Errorf("Manifest_Platform: map struct too large (%d)", extra) 1603 1603 - } 1604 1604 - 1605 1605 - n := extra 1606 1606 - 1607 1607 - nameBuf := make([]byte, 12) 1608 1608 - for i := uint64(0); i < n; i++ { 1609 1609 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 1610 1610 - if err != nil { 1611 1611 - return err 1612 1612 - } 1613 1613 - 1614 1614 - if !ok { 1615 1615 - // Field doesn't exist on this type, so ignore it 1616 1616 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 1617 1617 - return err 1618 1618 - } 1619 1619 - continue 1620 1620 - } 1621 1621 - 1622 1622 - switch string(nameBuf[:nameLen]) { 1623 1623 - // t.Os (string) (string) 1624 1624 - case "os": 1625 1625 - 1626 1626 - { 1627 1627 - sval, err := cbg.ReadStringWithMax(cr, 8192) 1628 1628 - if err != nil { 1629 1629 - return err 1630 1630 - } 1631 1631 - 1632 1632 - t.Os = string(sval) 1633 1633 - } 1634 1634 - // t.LexiconTypeID (string) (string) 1635 1635 - case "$type": 1636 1636 - 1637 1637 - { 1638 1638 - sval, err := cbg.ReadStringWithMax(cr, 8192) 1639 1639 - if err != nil { 1640 1640 - return err 1641 1641 - } 1642 1642 - 1643 1643 - t.LexiconTypeID = string(sval) 1644 1644 - } 1645 1645 - // t.Variant (string) (string) 1646 1646 - case "variant": 1647 1647 - 1648 1648 - { 1649 1649 - b, err := cr.ReadByte() 1650 1650 - if err != nil { 1651 1651 - return err 1652 1652 - } 1653 1653 - if b != cbg.CborNull[0] { 1654 1654 - if err := cr.UnreadByte(); err != nil { 1655 1655 - return err 1656 1656 - } 1657 1657 - 1658 1658 - sval, err := cbg.ReadStringWithMax(cr, 8192) 1659 1659 - if err != nil { 1660 1660 - return err 1661 1661 - } 1662 1662 - 1663 1663 - t.Variant = (*string)(&sval) 1664 1664 - } 243 243 + t.AddedAt = string(sval) 1665 244 } 1666 1666 - // t.OsVersion (string) (string) 1667 1667 - case "osVersion": 1668 1668 - 1669 1669 - { 1670 1670 - b, err := cr.ReadByte() 1671 1671 - if err != nil { 1672 1672 - return err 1673 1673 - } 1674 1674 - if b != cbg.CborNull[0] { 1675 1675 - if err := cr.UnreadByte(); err != nil { 1676 1676 - return err 1677 1677 - } 1678 1678 - 1679 1679 - sval, err := cbg.ReadStringWithMax(cr, 8192) 1680 1680 - if err != nil { 1681 1681 - return err 1682 1682 - } 1683 1683 - 1684 1684 - t.OsVersion = (*string)(&sval) 1685 1685 - } 1686 1686 - } 1687 1687 - // t.OsFeatures ([]string) (slice) 1688 1688 - case "osFeatures": 245 245 + // t.Permissions ([]string) (slice) 246 246 + case "permissions": 1689 247 1690 248 maj, extra, err = cr.ReadHeader() 1691 249 if err != nil { ··· 1693 251 } 1694 252 1695 253 if extra > 8192 { 1696 1696 - return fmt.Errorf("t.OsFeatures: array too large (%d)", extra) 254 254 + return fmt.Errorf("t.Permissions: array too large (%d)", extra) 1697 255 } 1698 256 1699 257 if maj != cbg.MajArray { ··· 1701 259 } 1702 260 1703 261 if extra > 0 { 1704 1704 - t.OsFeatures = make([]string, extra) 262 262 + t.Permissions = make([]string, extra) 1705 263 } 1706 264 1707 265 for i := 0; i < int(extra); i++ { ··· 1719 277 return err 1720 278 } 1721 279 1722 1722 - t.OsFeatures[i] = string(sval) 280 280 + t.Permissions[i] = string(sval) 1723 281 } 1724 282 1725 283 } 1726 284 } 1727 1727 - // t.Architecture (string) (string) 1728 1728 - case "architecture": 1729 1729 - 1730 1730 - { 1731 1731 - sval, err := cbg.ReadStringWithMax(cr, 8192) 1732 1732 - if err != nil { 1733 1733 - return err 1734 1734 - } 1735 1735 - 1736 1736 - t.Architecture = string(sval) 1737 1737 - } 1738 285 1739 286 default: 1740 287 // Field doesn't exist on this type, so ignore it ··· 1746 293 1747 294 return nil 1748 295 } 1749 1749 - func (t *Manifest_Annotations) MarshalCBOR(w io.Writer) error { 1750 1750 - if t == nil { 1751 1751 - _, err := w.Write(cbg.CborNull) 1752 1752 - return err 1753 1753 - } 1754 1754 - 1755 1755 - cw := cbg.NewCborWriter(w) 1756 1756 - 1757 1757 - if _, err := cw.Write([]byte{160}); err != nil { 1758 1758 - return err 1759 1759 - } 1760 1760 - return nil 1761 1761 - } 1762 1762 - 1763 1763 - func (t *Manifest_Annotations) UnmarshalCBOR(r io.Reader) (err error) { 1764 1764 - *t = Manifest_Annotations{} 1765 1765 - 1766 1766 - cr := cbg.NewCborReader(r) 1767 1767 - 1768 1768 - maj, extra, err := cr.ReadHeader() 1769 1769 - if err != nil { 1770 1770 - return err 1771 1771 - } 1772 1772 - defer func() { 1773 1773 - if err == io.EOF { 1774 1774 - err = io.ErrUnexpectedEOF 1775 1775 - } 1776 1776 - }() 1777 1777 - 1778 1778 - if maj != cbg.MajMap { 1779 1779 - return fmt.Errorf("cbor input should be of type map") 1780 1780 - } 1781 1781 - 1782 1782 - if extra > cbg.MaxLength { 1783 1783 - return fmt.Errorf("Manifest_Annotations: map struct too large (%d)", extra) 1784 1784 - } 1785 1785 - 1786 1786 - n := extra 1787 1787 - 1788 1788 - nameBuf := make([]byte, 0) 1789 1789 - for i := uint64(0); i < n; i++ { 1790 1790 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 1791 1791 - if err != nil { 1792 1792 - return err 1793 1793 - } 1794 1794 - 1795 1795 - if !ok { 1796 1796 - // Field doesn't exist on this type, so ignore it 1797 1797 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 1798 1798 - return err 1799 1799 - } 1800 1800 - continue 1801 1801 - } 1802 1802 - 1803 1803 - switch string(nameBuf[:nameLen]) { 1804 1804 - 1805 1805 - default: 1806 1806 - // Field doesn't exist on this type, so ignore it 1807 1807 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 1808 1808 - return err 1809 1809 - } 1810 1810 - } 1811 1811 - } 1812 1812 - 1813 1813 - return nil 1814 1814 - } 1815 1815 - func (t *Manifest_BlobReference_Annotations) MarshalCBOR(w io.Writer) error { 1816 1816 - if t == nil { 1817 1817 - _, err := w.Write(cbg.CborNull) 1818 1818 - return err 1819 1819 - } 1820 1820 - 1821 1821 - cw := cbg.NewCborWriter(w) 1822 1822 - 1823 1823 - if _, err := cw.Write([]byte{160}); err != nil { 1824 1824 - return err 1825 1825 - } 1826 1826 - return nil 1827 1827 - } 1828 1828 - 1829 1829 - func (t *Manifest_BlobReference_Annotations) UnmarshalCBOR(r io.Reader) (err error) { 1830 1830 - *t = Manifest_BlobReference_Annotations{} 1831 1831 - 1832 1832 - cr := cbg.NewCborReader(r) 1833 1833 - 1834 1834 - maj, extra, err := cr.ReadHeader() 1835 1835 - if err != nil { 1836 1836 - return err 1837 1837 - } 1838 1838 - defer func() { 1839 1839 - if err == io.EOF { 1840 1840 - err = io.ErrUnexpectedEOF 1841 1841 - } 1842 1842 - }() 1843 1843 - 1844 1844 - if maj != cbg.MajMap { 1845 1845 - return fmt.Errorf("cbor input should be of type map") 1846 1846 - } 1847 1847 - 1848 1848 - if extra > cbg.MaxLength { 1849 1849 - return fmt.Errorf("Manifest_BlobReference_Annotations: map struct too large (%d)", extra) 1850 1850 - } 1851 1851 - 1852 1852 - n := extra 1853 1853 - 1854 1854 - nameBuf := make([]byte, 0) 1855 1855 - for i := uint64(0); i < n; i++ { 1856 1856 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 1857 1857 - if err != nil { 1858 1858 - return err 1859 1859 - } 1860 1860 - 1861 1861 - if !ok { 1862 1862 - // Field doesn't exist on this type, so ignore it 1863 1863 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 1864 1864 - return err 1865 1865 - } 1866 1866 - continue 1867 1867 - } 1868 1868 - 1869 1869 - switch string(nameBuf[:nameLen]) { 1870 1870 - 1871 1871 - default: 1872 1872 - // Field doesn't exist on this type, so ignore it 1873 1873 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 1874 1874 - return err 1875 1875 - } 1876 1876 - } 1877 1877 - } 1878 1878 - 1879 1879 - return nil 1880 1880 - } 1881 1881 - func (t *Manifest_ManifestReference_Annotations) MarshalCBOR(w io.Writer) error { 1882 1882 - if t == nil { 1883 1883 - _, err := w.Write(cbg.CborNull) 1884 1884 - return err 1885 1885 - } 1886 1886 - 1887 1887 - cw := cbg.NewCborWriter(w) 1888 1888 - 1889 1889 - if _, err := cw.Write([]byte{160}); err != nil { 1890 1890 - return err 1891 1891 - } 1892 1892 - return nil 1893 1893 - } 1894 1894 - 1895 1895 - func (t *Manifest_ManifestReference_Annotations) UnmarshalCBOR(r io.Reader) (err error) { 1896 1896 - *t = Manifest_ManifestReference_Annotations{} 1897 1897 - 1898 1898 - cr := cbg.NewCborReader(r) 1899 1899 - 1900 1900 - maj, extra, err := cr.ReadHeader() 1901 1901 - if err != nil { 1902 1902 - return err 1903 1903 - } 1904 1904 - defer func() { 1905 1905 - if err == io.EOF { 1906 1906 - err = io.ErrUnexpectedEOF 1907 1907 - } 1908 1908 - }() 1909 1909 - 1910 1910 - if maj != cbg.MajMap { 1911 1911 - return fmt.Errorf("cbor input should be of type map") 1912 1912 - } 1913 1913 - 1914 1914 - if extra > cbg.MaxLength { 1915 1915 - return fmt.Errorf("Manifest_ManifestReference_Annotations: map struct too large (%d)", extra) 1916 1916 - } 1917 1917 - 1918 1918 - n := extra 1919 1919 - 1920 1920 - nameBuf := make([]byte, 0) 1921 1921 - for i := uint64(0); i < n; i++ { 1922 1922 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 1923 1923 - if err != nil { 1924 1924 - return err 1925 1925 - } 1926 1926 - 1927 1927 - if !ok { 1928 1928 - // Field doesn't exist on this type, so ignore it 1929 1929 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 1930 1930 - return err 1931 1931 - } 1932 1932 - continue 1933 1933 - } 1934 1934 - 1935 1935 - switch string(nameBuf[:nameLen]) { 1936 1936 - 1937 1937 - default: 1938 1938 - // Field doesn't exist on this type, so ignore it 1939 1939 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 1940 1940 - return err 1941 1941 - } 1942 1942 - } 1943 1943 - } 1944 1944 - 1945 1945 - return nil 1946 1946 - } 1947 1947 - func (t *Tag) MarshalCBOR(w io.Writer) error { 296 296 + func (t *CaptainRecord) MarshalCBOR(w io.Writer) error { 1948 297 if t == nil { 1949 298 _, err := w.Write(cbg.CborNull) 1950 299 return err 1951 300 } 1952 301 1953 302 cw := cbg.NewCborWriter(w) 1954 1954 - fieldCount := 6 303 303 + fieldCount := 8 1955 304 1956 1956 - if t.Manifest == nil { 305 305 + if t.Region == "" { 1957 306 fieldCount-- 1958 307 } 1959 308 1960 1960 - if t.ManifestDigest == nil { 309 309 + if t.Provider == "" { 1961 310 fieldCount-- 1962 311 } 1963 312 ··· 1965 314 return err 1966 315 } 1967 316 1968 1968 - // t.Tag (string) (string) 1969 1969 - if len("tag") > 8192 { 1970 1970 - return xerrors.Errorf("Value in field \"tag\" was too long") 1971 1971 - } 1972 1972 - 1973 1973 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("tag"))); err != nil { 1974 1974 - return err 1975 1975 - } 1976 1976 - if _, err := cw.WriteString(string("tag")); err != nil { 1977 1977 - return err 1978 1978 - } 1979 1979 - 1980 1980 - if len(t.Tag) > 8192 { 1981 1981 - return xerrors.Errorf("Value in field t.Tag was too long") 1982 1982 - } 1983 1983 - 1984 1984 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Tag))); err != nil { 1985 1985 - return err 1986 1986 - } 1987 1987 - if _, err := cw.WriteString(string(t.Tag)); err != nil { 1988 1988 - return err 1989 1989 - } 1990 1990 - 1991 1991 - // t.LexiconTypeID (string) (string) 1992 1992 - if len("$type") > 8192 { 1993 1993 - return xerrors.Errorf("Value in field \"$type\" was too long") 1994 1994 - } 1995 1995 - 1996 1996 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 1997 1997 - return err 1998 1998 - } 1999 1999 - if _, err := cw.WriteString(string("$type")); err != nil { 2000 2000 - return err 2001 2001 - } 2002 2002 - 2003 2003 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.tag"))); err != nil { 2004 2004 - return err 2005 2005 - } 2006 2006 - if _, err := cw.WriteString(string("io.atcr.tag")); err != nil { 2007 2007 - return err 2008 2008 - } 2009 2009 - 2010 2010 - // t.Manifest (string) (string) 2011 2011 - if t.Manifest != nil { 2012 2012 - 2013 2013 - if len("manifest") > 8192 { 2014 2014 - return xerrors.Errorf("Value in field \"manifest\" was too long") 2015 2015 - } 2016 2016 - 2017 2017 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("manifest"))); err != nil { 2018 2018 - return err 2019 2019 - } 2020 2020 - if _, err := cw.WriteString(string("manifest")); err != nil { 2021 2021 - return err 2022 2022 - } 2023 2023 - 2024 2024 - if t.Manifest == nil { 2025 2025 - if _, err := cw.Write(cbg.CborNull); err != nil { 2026 2026 - return err 2027 2027 - } 2028 2028 - } else { 2029 2029 - if len(*t.Manifest) > 8192 { 2030 2030 - return xerrors.Errorf("Value in field t.Manifest was too long") 2031 2031 - } 2032 2032 - 2033 2033 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.Manifest))); err != nil { 2034 2034 - return err 2035 2035 - } 2036 2036 - if _, err := cw.WriteString(string(*t.Manifest)); err != nil { 2037 2037 - return err 2038 2038 - } 2039 2039 - } 2040 2040 - } 2041 2041 - 2042 2042 - // t.CreatedAt (string) (string) 2043 2043 - if len("createdAt") > 8192 { 2044 2044 - return xerrors.Errorf("Value in field \"createdAt\" was too long") 2045 2045 - } 2046 2046 - 2047 2047 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("createdAt"))); err != nil { 2048 2048 - return err 2049 2049 - } 2050 2050 - if _, err := cw.WriteString(string("createdAt")); err != nil { 2051 2051 - return err 2052 2052 - } 2053 2053 - 2054 2054 - if len(t.CreatedAt) > 8192 { 2055 2055 - return xerrors.Errorf("Value in field t.CreatedAt was too long") 2056 2056 - } 2057 2057 - 2058 2058 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.CreatedAt))); err != nil { 2059 2059 - return err 2060 2060 - } 2061 2061 - if _, err := cw.WriteString(string(t.CreatedAt)); err != nil { 2062 2062 - return err 2063 2063 - } 2064 2064 - 2065 2065 - // t.Repository (string) (string) 2066 2066 - if len("repository") > 8192 { 2067 2067 - return xerrors.Errorf("Value in field \"repository\" was too long") 2068 2068 - } 2069 2069 - 2070 2070 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("repository"))); err != nil { 2071 2071 - return err 2072 2072 - } 2073 2073 - if _, err := cw.WriteString(string("repository")); err != nil { 2074 2074 - return err 2075 2075 - } 2076 2076 - 2077 2077 - if len(t.Repository) > 8192 { 2078 2078 - return xerrors.Errorf("Value in field t.Repository was too long") 2079 2079 - } 2080 2080 - 2081 2081 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Repository))); err != nil { 2082 2082 - return err 2083 2083 - } 2084 2084 - if _, err := cw.WriteString(string(t.Repository)); err != nil { 2085 2085 - return err 2086 2086 - } 2087 2087 - 2088 2088 - // t.ManifestDigest (string) (string) 2089 2089 - if t.ManifestDigest != nil { 2090 2090 - 2091 2091 - if len("manifestDigest") > 8192 { 2092 2092 - return xerrors.Errorf("Value in field \"manifestDigest\" was too long") 2093 2093 - } 2094 2094 - 2095 2095 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("manifestDigest"))); err != nil { 2096 2096 - return err 2097 2097 - } 2098 2098 - if _, err := cw.WriteString(string("manifestDigest")); err != nil { 2099 2099 - return err 2100 2100 - } 2101 2101 - 2102 2102 - if t.ManifestDigest == nil { 2103 2103 - if _, err := cw.Write(cbg.CborNull); err != nil { 2104 2104 - return err 2105 2105 - } 2106 2106 - } else { 2107 2107 - if len(*t.ManifestDigest) > 8192 { 2108 2108 - return xerrors.Errorf("Value in field t.ManifestDigest was too long") 2109 2109 - } 2110 2110 - 2111 2111 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.ManifestDigest))); err != nil { 2112 2112 - return err 2113 2113 - } 2114 2114 - if _, err := cw.WriteString(string(*t.ManifestDigest)); err != nil { 2115 2115 - return err 2116 2116 - } 2117 2117 - } 2118 2118 - } 2119 2119 - return nil 2120 2120 - } 2121 2121 - 2122 2122 - func (t *Tag) UnmarshalCBOR(r io.Reader) (err error) { 2123 2123 - *t = Tag{} 2124 2124 - 2125 2125 - cr := cbg.NewCborReader(r) 2126 2126 - 2127 2127 - maj, extra, err := cr.ReadHeader() 2128 2128 - if err != nil { 2129 2129 - return err 2130 2130 - } 2131 2131 - defer func() { 2132 2132 - if err == io.EOF { 2133 2133 - err = io.ErrUnexpectedEOF 2134 2134 - } 2135 2135 - }() 2136 2136 - 2137 2137 - if maj != cbg.MajMap { 2138 2138 - return fmt.Errorf("cbor input should be of type map") 2139 2139 - } 2140 2140 - 2141 2141 - if extra > cbg.MaxLength { 2142 2142 - return fmt.Errorf("Tag: map struct too large (%d)", extra) 2143 2143 - } 2144 2144 - 2145 2145 - n := extra 2146 2146 - 2147 2147 - nameBuf := make([]byte, 14) 2148 2148 - for i := uint64(0); i < n; i++ { 2149 2149 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 2150 2150 - if err != nil { 2151 2151 - return err 2152 2152 - } 2153 2153 - 2154 2154 - if !ok { 2155 2155 - // Field doesn't exist on this type, so ignore it 2156 2156 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 2157 2157 - return err 2158 2158 - } 2159 2159 - continue 2160 2160 - } 2161 2161 - 2162 2162 - switch string(nameBuf[:nameLen]) { 2163 2163 - // t.Tag (string) (string) 2164 2164 - case "tag": 2165 2165 - 2166 2166 - { 2167 2167 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2168 2168 - if err != nil { 2169 2169 - return err 2170 2170 - } 2171 2171 - 2172 2172 - t.Tag = string(sval) 2173 2173 - } 2174 2174 - // t.LexiconTypeID (string) (string) 2175 2175 - case "$type": 2176 2176 - 2177 2177 - { 2178 2178 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2179 2179 - if err != nil { 2180 2180 - return err 2181 2181 - } 2182 2182 - 2183 2183 - t.LexiconTypeID = string(sval) 2184 2184 - } 2185 2185 - // t.Manifest (string) (string) 2186 2186 - case "manifest": 2187 2187 - 2188 2188 - { 2189 2189 - b, err := cr.ReadByte() 2190 2190 - if err != nil { 2191 2191 - return err 2192 2192 - } 2193 2193 - if b != cbg.CborNull[0] { 2194 2194 - if err := cr.UnreadByte(); err != nil { 2195 2195 - return err 2196 2196 - } 2197 2197 - 2198 2198 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2199 2199 - if err != nil { 2200 2200 - return err 2201 2201 - } 2202 2202 - 2203 2203 - t.Manifest = (*string)(&sval) 2204 2204 - } 2205 2205 - } 2206 2206 - // t.CreatedAt (string) (string) 2207 2207 - case "createdAt": 2208 2208 - 2209 2209 - { 2210 2210 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2211 2211 - if err != nil { 2212 2212 - return err 2213 2213 - } 2214 2214 - 2215 2215 - t.CreatedAt = string(sval) 2216 2216 - } 2217 2217 - // t.Repository (string) (string) 2218 2218 - case "repository": 2219 2219 - 2220 2220 - { 2221 2221 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2222 2222 - if err != nil { 2223 2223 - return err 2224 2224 - } 2225 2225 - 2226 2226 - t.Repository = string(sval) 2227 2227 - } 2228 2228 - // t.ManifestDigest (string) (string) 2229 2229 - case "manifestDigest": 2230 2230 - 2231 2231 - { 2232 2232 - b, err := cr.ReadByte() 2233 2233 - if err != nil { 2234 2234 - return err 2235 2235 - } 2236 2236 - if b != cbg.CborNull[0] { 2237 2237 - if err := cr.UnreadByte(); err != nil { 2238 2238 - return err 2239 2239 - } 2240 2240 - 2241 2241 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2242 2242 - if err != nil { 2243 2243 - return err 2244 2244 - } 2245 2245 - 2246 2246 - t.ManifestDigest = (*string)(&sval) 2247 2247 - } 2248 2248 - } 2249 2249 - 2250 2250 - default: 2251 2251 - // Field doesn't exist on this type, so ignore it 2252 2252 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 2253 2253 - return err 2254 2254 - } 2255 2255 - } 2256 2256 - } 2257 2257 - 2258 2258 - return nil 2259 2259 - } 2260 2260 - func (t *SailorProfile) MarshalCBOR(w io.Writer) error { 2261 2261 - if t == nil { 2262 2262 - _, err := w.Write(cbg.CborNull) 2263 2263 - return err 2264 2264 - } 2265 2265 - 2266 2266 - cw := cbg.NewCborWriter(w) 2267 2267 - fieldCount := 4 2268 2268 - 2269 2269 - if t.DefaultHold == nil { 2270 2270 - fieldCount-- 2271 2271 - } 2272 2272 - 2273 2273 - if t.UpdatedAt == nil { 2274 2274 - fieldCount-- 2275 2275 - } 2276 2276 - 2277 2277 - if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil { 2278 2278 - return err 2279 2279 - } 2280 2280 - 2281 2281 - // t.LexiconTypeID (string) (string) 2282 2282 - if len("$type") > 8192 { 2283 2283 - return xerrors.Errorf("Value in field \"$type\" was too long") 2284 2284 - } 2285 2285 - 2286 2286 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 2287 2287 - return err 2288 2288 - } 2289 2289 - if _, err := cw.WriteString(string("$type")); err != nil { 2290 2290 - return err 2291 2291 - } 2292 2292 - 2293 2293 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.sailor.profile"))); err != nil { 2294 2294 - return err 2295 2295 - } 2296 2296 - if _, err := cw.WriteString(string("io.atcr.sailor.profile")); err != nil { 2297 2297 - return err 2298 2298 - } 2299 2299 - 2300 2300 - // t.CreatedAt (string) (string) 2301 2301 - if len("createdAt") > 8192 { 2302 2302 - return xerrors.Errorf("Value in field \"createdAt\" was too long") 2303 2303 - } 2304 2304 - 2305 2305 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("createdAt"))); err != nil { 2306 2306 - return err 2307 2307 - } 2308 2308 - if _, err := cw.WriteString(string("createdAt")); err != nil { 2309 2309 - return err 2310 2310 - } 2311 2311 - 2312 2312 - if len(t.CreatedAt) > 8192 { 2313 2313 - return xerrors.Errorf("Value in field t.CreatedAt was too long") 2314 2314 - } 2315 2315 - 2316 2316 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.CreatedAt))); err != nil { 2317 2317 - return err 2318 2318 - } 2319 2319 - if _, err := cw.WriteString(string(t.CreatedAt)); err != nil { 2320 2320 - return err 2321 2321 - } 2322 2322 - 2323 2323 - // t.UpdatedAt (string) (string) 2324 2324 - if t.UpdatedAt != nil { 2325 2325 - 2326 2326 - if len("updatedAt") > 8192 { 2327 2327 - return xerrors.Errorf("Value in field \"updatedAt\" was too long") 2328 2328 - } 2329 2329 - 2330 2330 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("updatedAt"))); err != nil { 2331 2331 - return err 2332 2332 - } 2333 2333 - if _, err := cw.WriteString(string("updatedAt")); err != nil { 2334 2334 - return err 2335 2335 - } 2336 2336 - 2337 2337 - if t.UpdatedAt == nil { 2338 2338 - if _, err := cw.Write(cbg.CborNull); err != nil { 2339 2339 - return err 2340 2340 - } 2341 2341 - } else { 2342 2342 - if len(*t.UpdatedAt) > 8192 { 2343 2343 - return xerrors.Errorf("Value in field t.UpdatedAt was too long") 2344 2344 - } 2345 2345 - 2346 2346 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.UpdatedAt))); err != nil { 2347 2347 - return err 2348 2348 - } 2349 2349 - if _, err := cw.WriteString(string(*t.UpdatedAt)); err != nil { 2350 2350 - return err 2351 2351 - } 2352 2352 - } 2353 2353 - } 2354 2354 - 2355 2355 - // t.DefaultHold (string) (string) 2356 2356 - if t.DefaultHold != nil { 2357 2357 - 2358 2358 - if len("defaultHold") > 8192 { 2359 2359 - return xerrors.Errorf("Value in field \"defaultHold\" was too long") 2360 2360 - } 2361 2361 - 2362 2362 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("defaultHold"))); err != nil { 2363 2363 - return err 2364 2364 - } 2365 2365 - if _, err := cw.WriteString(string("defaultHold")); err != nil { 2366 2366 - return err 2367 2367 - } 2368 2368 - 2369 2369 - if t.DefaultHold == nil { 2370 2370 - if _, err := cw.Write(cbg.CborNull); err != nil { 2371 2371 - return err 2372 2372 - } 2373 2373 - } else { 2374 2374 - if len(*t.DefaultHold) > 8192 { 2375 2375 - return xerrors.Errorf("Value in field t.DefaultHold was too long") 2376 2376 - } 2377 2377 - 2378 2378 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.DefaultHold))); err != nil { 2379 2379 - return err 2380 2380 - } 2381 2381 - if _, err := cw.WriteString(string(*t.DefaultHold)); err != nil { 2382 2382 - return err 2383 2383 - } 2384 2384 - } 2385 2385 - } 2386 2386 - return nil 2387 2387 - } 2388 2388 - 2389 2389 - func (t *SailorProfile) UnmarshalCBOR(r io.Reader) (err error) { 2390 2390 - *t = SailorProfile{} 2391 2391 - 2392 2392 - cr := cbg.NewCborReader(r) 2393 2393 - 2394 2394 - maj, extra, err := cr.ReadHeader() 2395 2395 - if err != nil { 2396 2396 - return err 2397 2397 - } 2398 2398 - defer func() { 2399 2399 - if err == io.EOF { 2400 2400 - err = io.ErrUnexpectedEOF 2401 2401 - } 2402 2402 - }() 2403 2403 - 2404 2404 - if maj != cbg.MajMap { 2405 2405 - return fmt.Errorf("cbor input should be of type map") 2406 2406 - } 2407 2407 - 2408 2408 - if extra > cbg.MaxLength { 2409 2409 - return fmt.Errorf("SailorProfile: map struct too large (%d)", extra) 2410 2410 - } 2411 2411 - 2412 2412 - n := extra 2413 2413 - 2414 2414 - nameBuf := make([]byte, 11) 2415 2415 - for i := uint64(0); i < n; i++ { 2416 2416 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 2417 2417 - if err != nil { 2418 2418 - return err 2419 2419 - } 2420 2420 - 2421 2421 - if !ok { 2422 2422 - // Field doesn't exist on this type, so ignore it 2423 2423 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 2424 2424 - return err 2425 2425 - } 2426 2426 - continue 2427 2427 - } 2428 2428 - 2429 2429 - switch string(nameBuf[:nameLen]) { 2430 2430 - // t.LexiconTypeID (string) (string) 2431 2431 - case "$type": 2432 2432 - 2433 2433 - { 2434 2434 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2435 2435 - if err != nil { 2436 2436 - return err 2437 2437 - } 2438 2438 - 2439 2439 - t.LexiconTypeID = string(sval) 2440 2440 - } 2441 2441 - // t.CreatedAt (string) (string) 2442 2442 - case "createdAt": 2443 2443 - 2444 2444 - { 2445 2445 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2446 2446 - if err != nil { 2447 2447 - return err 2448 2448 - } 2449 2449 - 2450 2450 - t.CreatedAt = string(sval) 2451 2451 - } 2452 2452 - // t.UpdatedAt (string) (string) 2453 2453 - case "updatedAt": 2454 2454 - 2455 2455 - { 2456 2456 - b, err := cr.ReadByte() 2457 2457 - if err != nil { 2458 2458 - return err 2459 2459 - } 2460 2460 - if b != cbg.CborNull[0] { 2461 2461 - if err := cr.UnreadByte(); err != nil { 2462 2462 - return err 2463 2463 - } 2464 2464 - 2465 2465 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2466 2466 - if err != nil { 2467 2467 - return err 2468 2468 - } 2469 2469 - 2470 2470 - t.UpdatedAt = (*string)(&sval) 2471 2471 - } 2472 2472 - } 2473 2473 - // t.DefaultHold (string) (string) 2474 2474 - case "defaultHold": 2475 2475 - 2476 2476 - { 2477 2477 - b, err := cr.ReadByte() 2478 2478 - if err != nil { 2479 2479 - return err 2480 2480 - } 2481 2481 - if b != cbg.CborNull[0] { 2482 2482 - if err := cr.UnreadByte(); err != nil { 2483 2483 - return err 2484 2484 - } 2485 2485 - 2486 2486 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2487 2487 - if err != nil { 2488 2488 - return err 2489 2489 - } 2490 2490 - 2491 2491 - t.DefaultHold = (*string)(&sval) 2492 2492 - } 2493 2493 - } 2494 2494 - 2495 2495 - default: 2496 2496 - // Field doesn't exist on this type, so ignore it 2497 2497 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 2498 2498 - return err 2499 2499 - } 2500 2500 - } 2501 2501 - } 2502 2502 - 2503 2503 - return nil 2504 2504 - } 2505 2505 - func (t *SailorStar) MarshalCBOR(w io.Writer) error { 2506 2506 - if t == nil { 2507 2507 - _, err := w.Write(cbg.CborNull) 2508 2508 - return err 2509 2509 - } 2510 2510 - 2511 2511 - cw := cbg.NewCborWriter(w) 2512 2512 - 2513 2513 - if _, err := cw.Write([]byte{163}); err != nil { 2514 2514 - return err 2515 2515 - } 2516 2516 - 2517 2517 - // t.LexiconTypeID (string) (string) 317 317 + // t.Type (string) (string) 2518 318 if len("$type") > 8192 { 2519 319 return xerrors.Errorf("Value in field \"$type\" was too long") 2520 320 } ··· 2526 326 return err 2527 327 } 2528 328 2529 2529 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.sailor.star"))); err != nil { 2530 2530 - return err 2531 2531 - } 2532 2532 - if _, err := cw.WriteString(string("io.atcr.sailor.star")); err != nil { 2533 2533 - return err 2534 2534 - } 2535 2535 - 2536 2536 - // t.Subject (atproto.SailorStar_Subject) (struct) 2537 2537 - if len("subject") > 8192 { 2538 2538 - return xerrors.Errorf("Value in field \"subject\" was too long") 2539 2539 - } 2540 2540 - 2541 2541 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("subject"))); err != nil { 2542 2542 - return err 2543 2543 - } 2544 2544 - if _, err := cw.WriteString(string("subject")); err != nil { 2545 2545 - return err 2546 2546 - } 2547 2547 - 2548 2548 - if err := t.Subject.MarshalCBOR(cw); err != nil { 2549 2549 - return err 2550 2550 - } 2551 2551 - 2552 2552 - // t.CreatedAt (string) (string) 2553 2553 - if len("createdAt") > 8192 { 2554 2554 - return xerrors.Errorf("Value in field \"createdAt\" was too long") 2555 2555 - } 2556 2556 - 2557 2557 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("createdAt"))); err != nil { 2558 2558 - return err 2559 2559 - } 2560 2560 - if _, err := cw.WriteString(string("createdAt")); err != nil { 2561 2561 - return err 2562 2562 - } 2563 2563 - 2564 2564 - if len(t.CreatedAt) > 8192 { 2565 2565 - return xerrors.Errorf("Value in field t.CreatedAt was too long") 2566 2566 - } 2567 2567 - 2568 2568 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.CreatedAt))); err != nil { 2569 2569 - return err 2570 2570 - } 2571 2571 - if _, err := cw.WriteString(string(t.CreatedAt)); err != nil { 2572 2572 - return err 2573 2573 - } 2574 2574 - return nil 2575 2575 - } 2576 2576 - 2577 2577 - func (t *SailorStar) UnmarshalCBOR(r io.Reader) (err error) { 2578 2578 - *t = SailorStar{} 2579 2579 - 2580 2580 - cr := cbg.NewCborReader(r) 2581 2581 - 2582 2582 - maj, extra, err := cr.ReadHeader() 2583 2583 - if err != nil { 2584 2584 - return err 2585 2585 - } 2586 2586 - defer func() { 2587 2587 - if err == io.EOF { 2588 2588 - err = io.ErrUnexpectedEOF 2589 2589 - } 2590 2590 - }() 2591 2591 - 2592 2592 - if maj != cbg.MajMap { 2593 2593 - return fmt.Errorf("cbor input should be of type map") 2594 2594 - } 2595 2595 - 2596 2596 - if extra > cbg.MaxLength { 2597 2597 - return fmt.Errorf("SailorStar: map struct too large (%d)", extra) 2598 2598 - } 2599 2599 - 2600 2600 - n := extra 2601 2601 - 2602 2602 - nameBuf := make([]byte, 9) 2603 2603 - for i := uint64(0); i < n; i++ { 2604 2604 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 2605 2605 - if err != nil { 2606 2606 - return err 2607 2607 - } 2608 2608 - 2609 2609 - if !ok { 2610 2610 - // Field doesn't exist on this type, so ignore it 2611 2611 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 2612 2612 - return err 2613 2613 - } 2614 2614 - continue 2615 2615 - } 2616 2616 - 2617 2617 - switch string(nameBuf[:nameLen]) { 2618 2618 - // t.LexiconTypeID (string) (string) 2619 2619 - case "$type": 2620 2620 - 2621 2621 - { 2622 2622 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2623 2623 - if err != nil { 2624 2624 - return err 2625 2625 - } 2626 2626 - 2627 2627 - t.LexiconTypeID = string(sval) 2628 2628 - } 2629 2629 - // t.Subject (atproto.SailorStar_Subject) (struct) 2630 2630 - case "subject": 2631 2631 - 2632 2632 - { 2633 2633 - 2634 2634 - if err := t.Subject.UnmarshalCBOR(cr); err != nil { 2635 2635 - return xerrors.Errorf("unmarshaling t.Subject: %w", err) 2636 2636 - } 2637 2637 - 2638 2638 - } 2639 2639 - // t.CreatedAt (string) (string) 2640 2640 - case "createdAt": 2641 2641 - 2642 2642 - { 2643 2643 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2644 2644 - if err != nil { 2645 2645 - return err 2646 2646 - } 2647 2647 - 2648 2648 - t.CreatedAt = string(sval) 2649 2649 - } 2650 2650 - 2651 2651 - default: 2652 2652 - // Field doesn't exist on this type, so ignore it 2653 2653 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 2654 2654 - return err 2655 2655 - } 2656 2656 - } 2657 2657 - } 2658 2658 - 2659 2659 - return nil 2660 2660 - } 2661 2661 - func (t *SailorStar_Subject) MarshalCBOR(w io.Writer) error { 2662 2662 - if t == nil { 2663 2663 - _, err := w.Write(cbg.CborNull) 2664 2664 - return err 2665 2665 - } 2666 2666 - 2667 2667 - cw := cbg.NewCborWriter(w) 2668 2668 - fieldCount := 3 2669 2669 - 2670 2670 - if t.LexiconTypeID == "" { 2671 2671 - fieldCount-- 2672 2672 - } 2673 2673 - 2674 2674 - if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil { 2675 2675 - return err 2676 2676 - } 2677 2677 - 2678 2678 - // t.Did (string) (string) 2679 2679 - if len("did") > 8192 { 2680 2680 - return xerrors.Errorf("Value in field \"did\" was too long") 2681 2681 - } 2682 2682 - 2683 2683 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("did"))); err != nil { 2684 2684 - return err 2685 2685 - } 2686 2686 - if _, err := cw.WriteString(string("did")); err != nil { 2687 2687 - return err 329 329 + if len(t.Type) > 8192 { 330 330 + return xerrors.Errorf("Value in field t.Type was too long") 2688 331 } 2689 332 2690 2690 - if len(t.Did) > 8192 { 2691 2691 - return xerrors.Errorf("Value in field t.Did was too long") 2692 2692 - } 2693 2693 - 2694 2694 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Did))); err != nil { 333 333 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Type))); err != nil { 2695 334 return err 2696 335 } 2697 2697 - if _, err := cw.WriteString(string(t.Did)); err != nil { 2698 2698 - return err 2699 2699 - } 2700 2700 - 2701 2701 - // t.LexiconTypeID (string) (string) 2702 2702 - if t.LexiconTypeID != "" { 2703 2703 - 2704 2704 - if len("$type") > 8192 { 2705 2705 - return xerrors.Errorf("Value in field \"$type\" was too long") 2706 2706 - } 2707 2707 - 2708 2708 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 2709 2709 - return err 2710 2710 - } 2711 2711 - if _, err := cw.WriteString(string("$type")); err != nil { 2712 2712 - return err 2713 2713 - } 2714 2714 - 2715 2715 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.sailor.star#subject"))); err != nil { 2716 2716 - return err 2717 2717 - } 2718 2718 - if _, err := cw.WriteString(string("io.atcr.sailor.star#subject")); err != nil { 2719 2719 - return err 2720 2720 - } 2721 2721 - } 2722 2722 - 2723 2723 - // t.Repository (string) (string) 2724 2724 - if len("repository") > 8192 { 2725 2725 - return xerrors.Errorf("Value in field \"repository\" was too long") 2726 2726 - } 2727 2727 - 2728 2728 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("repository"))); err != nil { 2729 2729 - return err 2730 2730 - } 2731 2731 - if _, err := cw.WriteString(string("repository")); err != nil { 2732 2732 - return err 2733 2733 - } 2734 2734 - 2735 2735 - if len(t.Repository) > 8192 { 2736 2736 - return xerrors.Errorf("Value in field t.Repository was too long") 2737 2737 - } 2738 2738 - 2739 2739 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Repository))); err != nil { 2740 2740 - return err 2741 2741 - } 2742 2742 - if _, err := cw.WriteString(string(t.Repository)); err != nil { 2743 2743 - return err 2744 2744 - } 2745 2745 - return nil 2746 2746 - } 2747 2747 - 2748 2748 - func (t *SailorStar_Subject) UnmarshalCBOR(r io.Reader) (err error) { 2749 2749 - *t = SailorStar_Subject{} 2750 2750 - 2751 2751 - cr := cbg.NewCborReader(r) 2752 2752 - 2753 2753 - maj, extra, err := cr.ReadHeader() 2754 2754 - if err != nil { 2755 2755 - return err 2756 2756 - } 2757 2757 - defer func() { 2758 2758 - if err == io.EOF { 2759 2759 - err = io.ErrUnexpectedEOF 2760 2760 - } 2761 2761 - }() 2762 2762 - 2763 2763 - if maj != cbg.MajMap { 2764 2764 - return fmt.Errorf("cbor input should be of type map") 2765 2765 - } 2766 2766 - 2767 2767 - if extra > cbg.MaxLength { 2768 2768 - return fmt.Errorf("SailorStar_Subject: map struct too large (%d)", extra) 2769 2769 - } 2770 2770 - 2771 2771 - n := extra 2772 2772 - 2773 2773 - nameBuf := make([]byte, 10) 2774 2774 - for i := uint64(0); i < n; i++ { 2775 2775 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 2776 2776 - if err != nil { 2777 2777 - return err 2778 2778 - } 2779 2779 - 2780 2780 - if !ok { 2781 2781 - // Field doesn't exist on this type, so ignore it 2782 2782 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 2783 2783 - return err 2784 2784 - } 2785 2785 - continue 2786 2786 - } 2787 2787 - 2788 2788 - switch string(nameBuf[:nameLen]) { 2789 2789 - // t.Did (string) (string) 2790 2790 - case "did": 2791 2791 - 2792 2792 - { 2793 2793 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2794 2794 - if err != nil { 2795 2795 - return err 2796 2796 - } 2797 2797 - 2798 2798 - t.Did = string(sval) 2799 2799 - } 2800 2800 - // t.LexiconTypeID (string) (string) 2801 2801 - case "$type": 2802 2802 - 2803 2803 - { 2804 2804 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2805 2805 - if err != nil { 2806 2806 - return err 2807 2807 - } 2808 2808 - 2809 2809 - t.LexiconTypeID = string(sval) 2810 2810 - } 2811 2811 - // t.Repository (string) (string) 2812 2812 - case "repository": 2813 2813 - 2814 2814 - { 2815 2815 - sval, err := cbg.ReadStringWithMax(cr, 8192) 2816 2816 - if err != nil { 2817 2817 - return err 2818 2818 - } 2819 2819 - 2820 2820 - t.Repository = string(sval) 2821 2821 - } 2822 2822 - 2823 2823 - default: 2824 2824 - // Field doesn't exist on this type, so ignore it 2825 2825 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 2826 2826 - return err 2827 2827 - } 2828 2828 - } 2829 2829 - } 2830 2830 - 2831 2831 - return nil 2832 2832 - } 2833 2833 - func (t *HoldCaptain) MarshalCBOR(w io.Writer) error { 2834 2834 - if t == nil { 2835 2835 - _, err := w.Write(cbg.CborNull) 2836 2836 - return err 2837 2837 - } 2838 2838 - 2839 2839 - cw := cbg.NewCborWriter(w) 2840 2840 - fieldCount := 8 2841 2841 - 2842 2842 - if t.Provider == nil { 2843 2843 - fieldCount-- 2844 2844 - } 2845 2845 - 2846 2846 - if t.Region == nil { 2847 2847 - fieldCount-- 2848 2848 - } 2849 2849 - 2850 2850 - if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil { 2851 2851 - return err 2852 2852 - } 2853 2853 - 2854 2854 - // t.LexiconTypeID (string) (string) 2855 2855 - if len("$type") > 8192 { 2856 2856 - return xerrors.Errorf("Value in field \"$type\" was too long") 2857 2857 - } 2858 2858 - 2859 2859 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 2860 2860 - return err 2861 2861 - } 2862 2862 - if _, err := cw.WriteString(string("$type")); err != nil { 2863 2863 - return err 2864 2864 - } 2865 2865 - 2866 2866 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.hold.captain"))); err != nil { 2867 2867 - return err 2868 2868 - } 2869 2869 - if _, err := cw.WriteString(string("io.atcr.hold.captain")); err != nil { 336 336 + if _, err := cw.WriteString(string(t.Type)); err != nil { 2870 337 return err 2871 338 } 2872 339 ··· 2910 377 } 2911 378 2912 379 // t.Region (string) (string) 2913 2913 - if t.Region != nil { 380 380 + if t.Region != "" { 2914 381 2915 382 if len("region") > 8192 { 2916 383 return xerrors.Errorf("Value in field \"region\" was too long") ··· 2923 390 return err 2924 391 } 2925 392 2926 2926 - if t.Region == nil { 2927 2927 - if _, err := cw.Write(cbg.CborNull); err != nil { 2928 2928 - return err 2929 2929 - } 2930 2930 - } else { 2931 2931 - if len(*t.Region) > 8192 { 2932 2932 - return xerrors.Errorf("Value in field t.Region was too long") 2933 2933 - } 393 393 + if len(t.Region) > 8192 { 394 394 + return xerrors.Errorf("Value in field t.Region was too long") 395 395 + } 2934 396 2935 2935 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.Region))); err != nil { 2936 2936 - return err 2937 2937 - } 2938 2938 - if _, err := cw.WriteString(string(*t.Region)); err != nil { 2939 2939 - return err 2940 2940 - } 397 397 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Region))); err != nil { 398 398 + return err 399 399 + } 400 400 + if _, err := cw.WriteString(string(t.Region)); err != nil { 401 401 + return err 2941 402 } 2942 403 } 2943 404 2944 405 // t.Provider (string) (string) 2945 2945 - if t.Provider != nil { 406 406 + if t.Provider != "" { 2946 407 2947 408 if len("provider") > 8192 { 2948 409 return xerrors.Errorf("Value in field \"provider\" was too long") ··· 2955 416 return err 2956 417 } 2957 418 2958 2958 - if t.Provider == nil { 2959 2959 - if _, err := cw.Write(cbg.CborNull); err != nil { 2960 2960 - return err 2961 2961 - } 2962 2962 - } else { 2963 2963 - if len(*t.Provider) > 8192 { 2964 2964 - return xerrors.Errorf("Value in field t.Provider was too long") 2965 2965 - } 419 419 + if len(t.Provider) > 8192 { 420 420 + return xerrors.Errorf("Value in field t.Provider was too long") 421 421 + } 2966 422 2967 2967 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.Provider))); err != nil { 2968 2968 - return err 2969 2969 - } 2970 2970 - if _, err := cw.WriteString(string(*t.Provider)); err != nil { 2971 2971 - return err 2972 2972 - } 423 423 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Provider))); err != nil { 424 424 + return err 425 425 + } 426 426 + if _, err := cw.WriteString(string(t.Provider)); err != nil { 427 427 + return err 2973 428 } 2974 429 } 2975 430 ··· 3030 485 return nil 3031 486 } 3032 487 3033 3033 - func (t *HoldCaptain) UnmarshalCBOR(r io.Reader) (err error) { 3034 3034 - *t = HoldCaptain{} 488 488 + func (t *CaptainRecord) UnmarshalCBOR(r io.Reader) (err error) { 489 489 + *t = CaptainRecord{} 3035 490 3036 491 cr := cbg.NewCborReader(r) 3037 492 ··· 3050 505 } 3051 506 3052 507 if extra > cbg.MaxLength { 3053 3053 - return fmt.Errorf("HoldCaptain: map struct too large (%d)", extra) 508 508 + return fmt.Errorf("CaptainRecord: map struct too large (%d)", extra) 3054 509 } 3055 510 3056 511 n := extra ··· 3071 526 } 3072 527 3073 528 switch string(nameBuf[:nameLen]) { 3074 3074 - // t.LexiconTypeID (string) (string) 529 529 + // t.Type (string) (string) 3075 530 case "$type": 3076 531 3077 532 { ··· 3080 535 return err 3081 536 } 3082 537 3083 3083 - t.LexiconTypeID = string(sval) 538 538 + t.Type = string(sval) 3084 539 } 3085 540 // t.Owner (string) (string) 3086 541 case "owner": ··· 3115 570 case "region": 3116 571 3117 572 { 3118 3118 - b, err := cr.ReadByte() 573 573 + sval, err := cbg.ReadStringWithMax(cr, 8192) 3119 574 if err != nil { 3120 575 return err 3121 576 } 3122 3122 - if b != cbg.CborNull[0] { 3123 3123 - if err := cr.UnreadByte(); err != nil { 3124 3124 - return err 3125 3125 - } 3126 577 3127 3127 - sval, err := cbg.ReadStringWithMax(cr, 8192) 3128 3128 - if err != nil { 3129 3129 - return err 3130 3130 - } 3131 3131 - 3132 3132 - t.Region = (*string)(&sval) 3133 3133 - } 578 578 + t.Region = string(sval) 3134 579 } 3135 580 // t.Provider (string) (string) 3136 581 case "provider": 3137 582 3138 583 { 3139 3139 - b, err := cr.ReadByte() 584 584 + sval, err := cbg.ReadStringWithMax(cr, 8192) 3140 585 if err != nil { 3141 586 return err 3142 587 } 3143 3143 - if b != cbg.CborNull[0] { 3144 3144 - if err := cr.UnreadByte(); err != nil { 3145 3145 - return err 3146 3146 - } 3147 588 3148 3148 - sval, err := cbg.ReadStringWithMax(cr, 8192) 3149 3149 - if err != nil { 3150 3150 - return err 3151 3151 - } 3152 3152 - 3153 3153 - t.Provider = (*string)(&sval) 3154 3154 - } 589 589 + t.Provider = string(sval) 3155 590 } 3156 591 // t.DeployedAt (string) (string) 3157 592 case "deployedAt": ··· 3211 646 3212 647 return nil 3213 648 } 3214 3214 - func (t *HoldCrew) MarshalCBOR(w io.Writer) error { 3215 3215 - if t == nil { 3216 3216 - _, err := w.Write(cbg.CborNull) 3217 3217 - return err 3218 3218 - } 3219 3219 - 3220 3220 - cw := cbg.NewCborWriter(w) 3221 3221 - 3222 3222 - if _, err := cw.Write([]byte{165}); err != nil { 3223 3223 - return err 3224 3224 - } 3225 3225 - 3226 3226 - // t.Role (string) (string) 3227 3227 - if len("role") > 8192 { 3228 3228 - return xerrors.Errorf("Value in field \"role\" was too long") 3229 3229 - } 3230 3230 - 3231 3231 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("role"))); err != nil { 3232 3232 - return err 3233 3233 - } 3234 3234 - if _, err := cw.WriteString(string("role")); err != nil { 3235 3235 - return err 3236 3236 - } 3237 3237 - 3238 3238 - if len(t.Role) > 8192 { 3239 3239 - return xerrors.Errorf("Value in field t.Role was too long") 3240 3240 - } 3241 3241 - 3242 3242 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Role))); err != nil { 3243 3243 - return err 3244 3244 - } 3245 3245 - if _, err := cw.WriteString(string(t.Role)); err != nil { 3246 3246 - return err 3247 3247 - } 3248 3248 - 3249 3249 - // t.LexiconTypeID (string) (string) 3250 3250 - if len("$type") > 8192 { 3251 3251 - return xerrors.Errorf("Value in field \"$type\" was too long") 3252 3252 - } 3253 3253 - 3254 3254 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil { 3255 3255 - return err 3256 3256 - } 3257 3257 - if _, err := cw.WriteString(string("$type")); err != nil { 3258 3258 - return err 3259 3259 - } 3260 3260 - 3261 3261 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.hold.crew"))); err != nil { 3262 3262 - return err 3263 3263 - } 3264 3264 - if _, err := cw.WriteString(string("io.atcr.hold.crew")); err != nil { 3265 3265 - return err 3266 3266 - } 3267 3267 - 3268 3268 - // t.Member (string) (string) 3269 3269 - if len("member") > 8192 { 3270 3270 - return xerrors.Errorf("Value in field \"member\" was too long") 3271 3271 - } 3272 3272 - 3273 3273 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("member"))); err != nil { 3274 3274 - return err 3275 3275 - } 3276 3276 - if _, err := cw.WriteString(string("member")); err != nil { 3277 3277 - return err 3278 3278 - } 3279 3279 - 3280 3280 - if len(t.Member) > 8192 { 3281 3281 - return xerrors.Errorf("Value in field t.Member was too long") 3282 3282 - } 3283 3283 - 3284 3284 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Member))); err != nil { 3285 3285 - return err 3286 3286 - } 3287 3287 - if _, err := cw.WriteString(string(t.Member)); err != nil { 3288 3288 - return err 3289 3289 - } 3290 3290 - 3291 3291 - // t.AddedAt (string) (string) 3292 3292 - if len("addedAt") > 8192 { 3293 3293 - return xerrors.Errorf("Value in field \"addedAt\" was too long") 3294 3294 - } 3295 3295 - 3296 3296 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("addedAt"))); err != nil { 3297 3297 - return err 3298 3298 - } 3299 3299 - if _, err := cw.WriteString(string("addedAt")); err != nil { 3300 3300 - return err 3301 3301 - } 3302 3302 - 3303 3303 - if len(t.AddedAt) > 8192 { 3304 3304 - return xerrors.Errorf("Value in field t.AddedAt was too long") 3305 3305 - } 3306 3306 - 3307 3307 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.AddedAt))); err != nil { 3308 3308 - return err 3309 3309 - } 3310 3310 - if _, err := cw.WriteString(string(t.AddedAt)); err != nil { 3311 3311 - return err 3312 3312 - } 3313 3313 - 3314 3314 - // t.Permissions ([]string) (slice) 3315 3315 - if len("permissions") > 8192 { 3316 3316 - return xerrors.Errorf("Value in field \"permissions\" was too long") 3317 3317 - } 3318 3318 - 3319 3319 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("permissions"))); err != nil { 3320 3320 - return err 3321 3321 - } 3322 3322 - if _, err := cw.WriteString(string("permissions")); err != nil { 3323 3323 - return err 3324 3324 - } 3325 3325 - 3326 3326 - if len(t.Permissions) > 8192 { 3327 3327 - return xerrors.Errorf("Slice value in field t.Permissions was too long") 3328 3328 - } 3329 3329 - 3330 3330 - if err := cw.WriteMajorTypeHeader(cbg.MajArray, uint64(len(t.Permissions))); err != nil { 3331 3331 - return err 3332 3332 - } 3333 3333 - for _, v := range t.Permissions { 3334 3334 - if len(v) > 8192 { 3335 3335 - return xerrors.Errorf("Value in field v was too long") 3336 3336 - } 3337 3337 - 3338 3338 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(v))); err != nil { 3339 3339 - return err 3340 3340 - } 3341 3341 - if _, err := cw.WriteString(string(v)); err != nil { 3342 3342 - return err 3343 3343 - } 3344 3344 - 3345 3345 - } 3346 3346 - return nil 3347 3347 - } 3348 3348 - 3349 3349 - func (t *HoldCrew) UnmarshalCBOR(r io.Reader) (err error) { 3350 3350 - *t = HoldCrew{} 3351 3351 - 3352 3352 - cr := cbg.NewCborReader(r) 3353 3353 - 3354 3354 - maj, extra, err := cr.ReadHeader() 3355 3355 - if err != nil { 3356 3356 - return err 3357 3357 - } 3358 3358 - defer func() { 3359 3359 - if err == io.EOF { 3360 3360 - err = io.ErrUnexpectedEOF 3361 3361 - } 3362 3362 - }() 3363 3363 - 3364 3364 - if maj != cbg.MajMap { 3365 3365 - return fmt.Errorf("cbor input should be of type map") 3366 3366 - } 3367 3367 - 3368 3368 - if extra > cbg.MaxLength { 3369 3369 - return fmt.Errorf("HoldCrew: map struct too large (%d)", extra) 3370 3370 - } 3371 3371 - 3372 3372 - n := extra 3373 3373 - 3374 3374 - nameBuf := make([]byte, 11) 3375 3375 - for i := uint64(0); i < n; i++ { 3376 3376 - nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192) 3377 3377 - if err != nil { 3378 3378 - return err 3379 3379 - } 3380 3380 - 3381 3381 - if !ok { 3382 3382 - // Field doesn't exist on this type, so ignore it 3383 3383 - if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil { 3384 3384 - return err 3385 3385 - } 3386 3386 - continue 3387 3387 - } 3388 3388 - 3389 3389 - switch string(nameBuf[:nameLen]) { 3390 3390 - // t.Role (string) (string) 3391 3391 - case "role": 3392 3392 - 3393 3393 - { 3394 3394 - sval, err := cbg.ReadStringWithMax(cr, 8192) 3395 3395 - if err != nil { 3396 3396 - return err 3397 3397 - } 3398 3398 - 3399 3399 - t.Role = string(sval) 3400 3400 - } 3401 3401 - // t.LexiconTypeID (string) (string) 3402 3402 - case "$type": 3403 3403 - 3404 3404 - { 3405 3405 - sval, err := cbg.ReadStringWithMax(cr, 8192) 3406 3406 - if err != nil { 3407 3407 - return err 3408 3408 - } 3409 3409 - 3410 3410 - t.LexiconTypeID = string(sval) 3411 3411 - } 3412 3412 - // t.Member (string) (string) 3413 3413 - case "member": 3414 3414 - 3415 3415 - { 3416 3416 - sval, err := cbg.ReadStringWithMax(cr, 8192) 3417 3417 - if err != nil { 3418 3418 - return err 3419 3419 - } 3420 3420 - 3421 3421 - t.Member = string(sval) 3422 3422 - } 3423 3423 - // t.AddedAt (string) (string) 3424 3424 - case "addedAt": 3425 3425 - 3426 3426 - { 3427 3427 - sval, err := cbg.ReadStringWithMax(cr, 8192) 3428 3428 - if err != nil { 3429 3429 - return err 3430 3430 - } 3431 3431 - 3432 3432 - t.AddedAt = string(sval) 3433 3433 - } 3434 3434 - // t.Permissions ([]string) (slice) 3435 3435 - case "permissions": 3436 3436 - 3437 3437 - maj, extra, err = cr.ReadHeader() 3438 3438 - if err != nil { 3439 3439 - return err 3440 3440 - } 3441 3441 - 3442 3442 - if extra > 8192 { 3443 3443 - return fmt.Errorf("t.Permissions: array too large (%d)", extra) 3444 3444 - } 3445 3445 - 3446 3446 - if maj != cbg.MajArray { 3447 3447 - return fmt.Errorf("expected cbor array") 3448 3448 - } 3449 3449 - 3450 3450 - if extra > 0 { 3451 3451 - t.Permissions = make([]string, extra) 3452 3452 - } 3453 3453 - 3454 3454 - for i := 0; i < int(extra); i++ { 3455 3455 - { 3456 3456 - var maj byte 3457 3457 - var extra uint64 3458 3458 - var err error 3459 3459 - _ = maj 3460 3460 - _ = extra 3461 3461 - _ = err 3462 3462 - 3463 3463 - { 3464 3464 - sval, err := cbg.ReadStringWithMax(cr, 8192) 3465 3465 - if err != nil { 3466 3466 - return err 3467 3467 - } 3468 3468 - 3469 3469 - t.Permissions[i] = string(sval) 3470 3470 - } 3471 3471 - 3472 3472 - } 3473 3473 - } 3474 3474 - 3475 3475 - default: 3476 3476 - // Field doesn't exist on this type, so ignore it 3477 3477 - if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil { 3478 3478 - return err 3479 3479 - } 3480 3480 - } 3481 3481 - } 3482 3482 - 3483 3483 - return nil 3484 3484 - } 3485 3485 - func (t *HoldLayer) MarshalCBOR(w io.Writer) error { 649 649 + func (t *LayerRecord) MarshalCBOR(w io.Writer) error { 3486 650 if t == nil { 3487 651 _, err := w.Write(cbg.CborNull) 3488 652 return err ··· 3516 680 } 3517 681 } 3518 682 3519 3519 - // t.LexiconTypeID (string) (string) 683 683 + // t.Type (string) (string) 3520 684 if len("$type") > 8192 { 3521 685 return xerrors.Errorf("Value in field \"$type\" was too long") 3522 686 } ··· 3528 692 return err 3529 693 } 3530 694 3531 3531 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("io.atcr.hold.layer"))); err != nil { 695 695 + if len(t.Type) > 8192 { 696 696 + return xerrors.Errorf("Value in field t.Type was too long") 697 697 + } 698 698 + 699 699 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Type))); err != nil { 3532 700 return err 3533 701 } 3534 3534 - if _, err := cw.WriteString(string("io.atcr.hold.layer")); err != nil { 702 702 + if _, err := cw.WriteString(string(t.Type)); err != nil { 3535 703 return err 3536 704 } 3537 705 ··· 3558 726 return err 3559 727 } 3560 728 3561 3561 - // t.UserDid (string) (string) 729 729 + // t.UserDID (string) (string) 3562 730 if len("userDid") > 8192 { 3563 731 return xerrors.Errorf("Value in field \"userDid\" was too long") 3564 732 } ··· 3570 738 return err 3571 739 } 3572 740 3573 3573 - if len(t.UserDid) > 8192 { 3574 3574 - return xerrors.Errorf("Value in field t.UserDid was too long") 741 741 + if len(t.UserDID) > 8192 { 742 742 + return xerrors.Errorf("Value in field t.UserDID was too long") 3575 743 } 3576 744 3577 3577 - if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.UserDid))); err != nil { 745 745 + if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.UserDID))); err != nil { 3578 746 return err 3579 747 } 3580 3580 - if _, err := cw.WriteString(string(t.UserDid)); err != nil { 748 748 + if _, err := cw.WriteString(string(t.UserDID)); err != nil { 3581 749 return err 3582 750 } 3583 751 ··· 3675 843 return nil 3676 844 } 3677 845 3678 3678 - func (t *HoldLayer) UnmarshalCBOR(r io.Reader) (err error) { 3679 3679 - *t = HoldLayer{} 846 846 + func (t *LayerRecord) UnmarshalCBOR(r io.Reader) (err error) { 847 847 + *t = LayerRecord{} 3680 848 3681 849 cr := cbg.NewCborReader(r) 3682 850 ··· 3695 863 } 3696 864 3697 865 if extra > cbg.MaxLength { 3698 3698 - return fmt.Errorf("HoldLayer: map struct too large (%d)", extra) 866 866 + return fmt.Errorf("LayerRecord: map struct too large (%d)", extra) 3699 867 } 3700 868 3701 869 n := extra ··· 3742 910 3743 911 t.Size = int64(extraI) 3744 912 } 3745 3745 - // t.LexiconTypeID (string) (string) 913 913 + // t.Type (string) (string) 3746 914 case "$type": 3747 915 3748 916 { ··· 3751 919 return err 3752 920 } 3753 921 3754 3754 - t.LexiconTypeID = string(sval) 922 922 + t.Type = string(sval) 3755 923 } 3756 924 // t.Digest (string) (string) 3757 925 case "digest": ··· 3764 932 3765 933 t.Digest = string(sval) 3766 934 } 3767 3767 - // t.UserDid (string) (string) 935 935 + // t.UserDID (string) (string) 3768 936 case "userDid": 3769 937 3770 938 { ··· 3773 941 return err 3774 942 } 3775 943 3776 3776 - t.UserDid = string(sval) 944 944 + t.UserDID = string(sval) 3777 945 } 3778 946 // t.CreatedAt (string) (string) 3779 947 case "createdAt":

+7 -21

pkg/atproto/client.go

··· 13 13 14 14 "github.com/bluesky-social/indigo/atproto/atclient" 15 15 indigo_oauth "github.com/bluesky-social/indigo/atproto/auth/oauth" 16 16 - lexutil "github.com/bluesky-social/indigo/lex/util" 17 17 - "github.com/ipfs/go-cid" 18 16 ) 19 17 20 18 // Sentinel errors ··· 303 301 } 304 302 305 303 // UploadBlob uploads binary data to the PDS and returns a blob reference 306 306 - func (c *Client) UploadBlob(ctx context.Context, data []byte, mimeType string) (*lexutil.LexBlob, error) { 304 304 + func (c *Client) UploadBlob(ctx context.Context, data []byte, mimeType string) (*ATProtoBlobRef, error) { 307 305 // Use session provider (locked OAuth with DPoP) - prevents nonce races 308 306 if c.sessionProvider != nil { 309 307 var result struct { ··· 312 310 313 311 err := c.sessionProvider.DoWithSession(ctx, c.did, func(session *indigo_oauth.ClientSession) error { 314 312 apiClient := session.APIClient() 313 313 + // IMPORTANT: Use io.Reader for blob uploads 314 314 + // LexDo JSON-encodes []byte (base64), but streams io.Reader as raw bytes 315 315 + // Use the actual MIME type so PDS can validate against blob:image/* scope 315 316 return apiClient.LexDo(ctx, 316 317 "POST", 317 318 mimeType, 318 319 "com.atproto.repo.uploadBlob", 319 320 nil, 320 320 - data, 321 321 + bytes.NewReader(data), 321 322 &result, 322 323 ) 323 324 }) ··· 325 326 return nil, fmt.Errorf("uploadBlob failed: %w", err) 326 327 } 327 328 328 328 - return atProtoBlobRefToLexBlob(&result.Blob) 329 329 + return &result.Blob, nil 329 330 } 330 331 331 332 // Basic Auth (app passwords) ··· 356 357 return nil, fmt.Errorf("failed to decode response: %w", err) 357 358 } 358 359 359 359 - return atProtoBlobRefToLexBlob(&result.Blob) 360 360 - } 361 361 - 362 362 - // atProtoBlobRefToLexBlob converts an ATProtoBlobRef to a lexutil.LexBlob 363 363 - func atProtoBlobRefToLexBlob(ref *ATProtoBlobRef) (*lexutil.LexBlob, error) { 364 364 - // Parse the CID string from the $link field 365 365 - c, err := cid.Decode(ref.Ref.Link) 366 366 - if err != nil { 367 367 - return nil, fmt.Errorf("failed to parse blob CID %q: %w", ref.Ref.Link, err) 368 368 - } 369 369 - 370 370 - return &lexutil.LexBlob{ 371 371 - Ref: lexutil.LexLink(c), 372 372 - MimeType: ref.MimeType, 373 373 - Size: ref.Size, 374 374 - }, nil 360 360 + return &result.Blob, nil 375 361 } 376 362 377 363 // GetBlob downloads a blob by its CID from the PDS

+6 -8

pkg/atproto/client_test.go

··· 386 386 t.Errorf("Content-Type = %v, want %v", r.Header.Get("Content-Type"), mimeType) 387 387 } 388 388 389 389 - // Send response - use a valid CIDv1 in base32 format 389 389 + // Send response 390 390 response := `{ 391 391 "blob": { 392 392 "$type": "blob", 393 393 - "ref": {"$link": "bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku"}, 393 393 + "ref": {"$link": "bafytest123"}, 394 394 "mimeType": "application/octet-stream", 395 395 "size": 17 396 396 } ··· 406 406 t.Fatalf("UploadBlob() error = %v", err) 407 407 } 408 408 409 409 - if blobRef.MimeType != mimeType { 410 410 - t.Errorf("MimeType = %v, want %v", blobRef.MimeType, mimeType) 409 409 + if blobRef.Type != "blob" { 410 410 + t.Errorf("Type = %v, want blob", blobRef.Type) 411 411 } 412 412 413 413 - // LexBlob.Ref is a LexLink (cid.Cid alias), use .String() to get the CID string 414 414 - expectedCID := "bafkreihdwdcefgh4dqkjv67uzcmw7ojee6xedzdetojuzjevtenxquvyku" 415 415 - if blobRef.Ref.String() != expectedCID { 416 416 - t.Errorf("Ref.String() = %v, want %v", blobRef.Ref.String(), expectedCID) 413 413 + if blobRef.Ref.Link != "bafytest123" { 414 414 + t.Errorf("Ref.Link = %v, want bafytest123", blobRef.Ref.Link) 417 415 } 418 416 419 417 if blobRef.Size != 17 {

+11 -255

pkg/atproto/generate.go

··· 3 3 4 4 package main 5 5 6 6 - // Lexicon and CBOR Code Generator 6 6 + // CBOR Code Generator 7 7 // 8 8 - // This generates: 9 9 - // 1. Go types from lexicon JSON files (via lex/lexgen library) 10 10 - // 2. CBOR marshaling code for ATProto records (via cbor-gen) 11 11 - // 3. Type registration for lexutil (register.go) 8 8 + // This generates optimized CBOR marshaling code for ATProto records. 12 9 // 13 10 // Usage: 14 11 // go generate ./pkg/atproto/... 15 12 // 16 16 - // Key insight: We use RegisterLexiconTypeID: false to avoid generating init() 17 17 - // blocks that require CBORMarshaler. This breaks the circular dependency between 18 18 - // lexgen and cbor-gen. See: https://github.com/bluesky-social/indigo/issues/931 19 19 - 20 20 - import ( 21 21 - "bytes" 22 22 - "encoding/json" 23 23 - "fmt" 24 24 - "os" 25 25 - "os/exec" 26 26 - "path/filepath" 27 27 - "strings" 28 28 - 29 29 - "github.com/bluesky-social/indigo/atproto/lexicon" 30 30 - "github.com/bluesky-social/indigo/lex/lexgen" 31 31 - "golang.org/x/tools/imports" 32 32 - ) 33 33 - 34 34 - func main() { 35 35 - // Find repo root 36 36 - repoRoot, err := findRepoRoot() 37 37 - if err != nil { 38 38 - fmt.Printf("failed to find repo root: %v\n", err) 39 39 - os.Exit(1) 40 40 - } 41 41 - 42 42 - pkgDir := filepath.Join(repoRoot, "pkg/atproto") 43 43 - lexDir := filepath.Join(repoRoot, "lexicons") 44 44 - 45 45 - // Step 0: Clean up old register.go to avoid conflicts 46 46 - // (It will be regenerated at the end) 47 47 - os.Remove(filepath.Join(pkgDir, "register.go")) 48 48 - 49 49 - // Step 1: Load all lexicon schemas into catalog (for cross-references) 50 50 - fmt.Println("Loading lexicons...") 51 51 - cat := lexicon.NewBaseCatalog() 52 52 - if err := cat.LoadDirectory(lexDir); err != nil { 53 53 - fmt.Printf("failed to load lexicons: %v\n", err) 54 54 - os.Exit(1) 55 55 - } 56 56 - 57 57 - // Step 2: Generate Go code for each lexicon file 58 58 - fmt.Println("Running lexgen...") 59 59 - config := &lexgen.GenConfig{ 60 60 - RegisterLexiconTypeID: false, // KEY: no init() blocks generated 61 61 - UnknownType: "map-string-any", 62 62 - WarningText: "Code generated by generate.go; DO NOT EDIT.", 63 63 - } 64 64 - 65 65 - // Track generated types for register.go 66 66 - var registeredTypes []typeInfo 67 67 - 68 68 - // Walk lexicon directory and generate code for each file 69 69 - err = filepath.Walk(lexDir, func(path string, info os.FileInfo, err error) error { 70 70 - if err != nil { 71 71 - return err 72 72 - } 73 73 - if info.IsDir() || !strings.HasSuffix(path, ".json") { 74 74 - return nil 75 75 - } 76 76 - 77 77 - // Load and parse the schema file 78 78 - data, err := os.ReadFile(path) 79 79 - if err != nil { 80 80 - return fmt.Errorf("failed to read %s: %w", path, err) 81 81 - } 82 82 - 83 83 - var sf lexicon.SchemaFile 84 84 - if err := json.Unmarshal(data, &sf); err != nil { 85 85 - return fmt.Errorf("failed to parse %s: %w", path, err) 86 86 - } 87 87 - 88 88 - if err := sf.FinishParse(); err != nil { 89 89 - return fmt.Errorf("failed to finish parse %s: %w", path, err) 90 90 - } 91 91 - 92 92 - // Flatten the schema 93 93 - flat, err := lexgen.FlattenSchemaFile(&sf) 94 94 - if err != nil { 95 95 - return fmt.Errorf("failed to flatten schema %s: %w", path, err) 96 96 - } 97 97 - 98 98 - // Generate code 99 99 - var buf bytes.Buffer 100 100 - gen := &lexgen.CodeGenerator{ 101 101 - Config: config, 102 102 - Lex: flat, 103 103 - Cat: &cat, 104 104 - Out: &buf, 105 105 - } 106 106 - 107 107 - if err := gen.WriteLexicon(); err != nil { 108 108 - return fmt.Errorf("failed to generate code for %s: %w", path, err) 109 109 - } 110 110 - 111 111 - // Fix package name: lexgen generates "ioatcr" but we want "atproto" 112 112 - code := bytes.Replace(buf.Bytes(), []byte("package ioatcr"), []byte("package atproto"), 1) 113 113 - 114 114 - // Format with goimports 115 115 - fileName := gen.FileName() 116 116 - formatted, err := imports.Process(fileName, code, nil) 117 117 - if err != nil { 118 118 - // Write unformatted for debugging 119 119 - outPath := filepath.Join(pkgDir, fileName) 120 120 - os.WriteFile(outPath+".broken", code, 0644) 121 121 - return fmt.Errorf("failed to format %s: %w (wrote to %s.broken)", fileName, err, outPath) 122 122 - } 123 123 - 124 124 - // Write output file 125 125 - outPath := filepath.Join(pkgDir, fileName) 126 126 - if err := os.WriteFile(outPath, formatted, 0644); err != nil { 127 127 - return fmt.Errorf("failed to write %s: %w", outPath, err) 128 128 - } 129 129 - 130 130 - fmt.Printf(" Generated %s\n", fileName) 131 131 - 132 132 - // Track type for registration - compute type name from NSID 133 133 - typeName := nsidToTypeName(sf.ID) 134 134 - registeredTypes = append(registeredTypes, typeInfo{ 135 135 - NSID: sf.ID, 136 136 - TypeName: typeName, 137 137 - }) 138 138 - 139 139 - return nil 140 140 - }) 141 141 - if err != nil { 142 142 - fmt.Printf("lexgen failed: %v\n", err) 143 143 - os.Exit(1) 144 144 - } 145 145 - 146 146 - // Step 3: Run cbor-gen via exec.Command 147 147 - // This must be a separate process so it can compile the freshly generated types 148 148 - fmt.Println("Running cbor-gen...") 149 149 - if err := runCborGen(repoRoot, pkgDir); err != nil { 150 150 - fmt.Printf("cbor-gen failed: %v\n", err) 151 151 - os.Exit(1) 152 152 - } 153 153 - 154 154 - // Step 4: Generate register.go 155 155 - fmt.Println("Generating register.go...") 156 156 - if err := generateRegisterFile(pkgDir, registeredTypes); err != nil { 157 157 - fmt.Printf("failed to generate register.go: %v\n", err) 158 158 - os.Exit(1) 159 159 - } 160 160 - 161 161 - fmt.Println("Code generation complete!") 162 162 - } 163 163 - 164 164 - type typeInfo struct { 165 165 - NSID string 166 166 - TypeName string 167 167 - } 168 168 - 169 169 - // nsidToTypeName converts an NSID to a Go type name 170 170 - // io.atcr.manifest → Manifest 171 171 - // io.atcr.hold.captain → HoldCaptain 172 172 - // io.atcr.sailor.profile → SailorProfile 173 173 - func nsidToTypeName(nsid string) string { 174 174 - parts := strings.Split(nsid, ".") 175 175 - if len(parts) < 3 { 176 176 - return "" 177 177 - } 178 178 - // Skip the first two parts (authority, e.g., "io.atcr") 179 179 - // and capitalize each remaining part 180 180 - var result string 181 181 - for _, part := range parts[2:] { 182 182 - if len(part) > 0 { 183 183 - result += strings.ToUpper(part[:1]) + part[1:] 184 184 - } 185 185 - } 186 186 - return result 187 187 - } 188 188 - 189 189 - func runCborGen(repoRoot, pkgDir string) error { 190 190 - // Create a temporary Go file that runs cbor-gen 191 191 - cborGenCode := `//go:build ignore 192 192 - 193 193 - package main 13 13 + // This creates pkg/atproto/cbor_gen.go which should be committed to git. 14 14 + // Only re-run when you modify types in pkg/atproto/types.go 15 15 + // 16 16 + // The //go:generate directive is in lexicon.go 194 17 195 18 import ( 196 19 "fmt" ··· 202 25 ) 203 26 204 27 func main() { 28 28 + // Generate map-style encoders for CrewRecord, CaptainRecord, LayerRecord, and TangledProfileRecord 205 29 if err := cbg.WriteMapEncodersToFile("cbor_gen.go", "atproto", 206 206 - // Manifest types 207 207 - atproto.Manifest{}, 208 208 - atproto.Manifest_BlobReference{}, 209 209 - atproto.Manifest_ManifestReference{}, 210 210 - atproto.Manifest_Platform{}, 211 211 - atproto.Manifest_Annotations{}, 212 212 - atproto.Manifest_BlobReference_Annotations{}, 213 213 - atproto.Manifest_ManifestReference_Annotations{}, 214 214 - // Tag 215 215 - atproto.Tag{}, 216 216 - // Sailor types 217 217 - atproto.SailorProfile{}, 218 218 - atproto.SailorStar{}, 219 219 - atproto.SailorStar_Subject{}, 220 220 - // Hold types 221 221 - atproto.HoldCaptain{}, 222 222 - atproto.HoldCrew{}, 223 223 - atproto.HoldLayer{}, 224 224 - // External types 30 30 + atproto.CrewRecord{}, 31 31 + atproto.CaptainRecord{}, 32 32 + atproto.LayerRecord{}, 225 33 atproto.TangledProfileRecord{}, 226 34 ); err != nil { 227 227 - fmt.Printf("cbor-gen failed: %v\n", err) 35 35 + fmt.Printf("Failed to generate CBOR encoders: %v\n", err) 228 36 os.Exit(1) 229 37 } 230 38 } 231 231 - ` 232 232 - 233 233 - // Write temp file 234 234 - tmpFile := filepath.Join(pkgDir, "cborgen_tmp.go") 235 235 - if err := os.WriteFile(tmpFile, []byte(cborGenCode), 0644); err != nil { 236 236 - return fmt.Errorf("failed to write temp cbor-gen file: %w", err) 237 237 - } 238 238 - defer os.Remove(tmpFile) 239 239 - 240 240 - // Run it 241 241 - cmd := exec.Command("go", "run", tmpFile) 242 242 - cmd.Dir = pkgDir 243 243 - cmd.Stdout = os.Stdout 244 244 - cmd.Stderr = os.Stderr 245 245 - return cmd.Run() 246 246 - } 247 247 - 248 248 - func generateRegisterFile(pkgDir string, types []typeInfo) error { 249 249 - var buf bytes.Buffer 250 250 - 251 251 - buf.WriteString("// Code generated by generate.go; DO NOT EDIT.\n\n") 252 252 - buf.WriteString("package atproto\n\n") 253 253 - buf.WriteString("import lexutil \"github.com/bluesky-social/indigo/lex/util\"\n\n") 254 254 - buf.WriteString("func init() {\n") 255 255 - 256 256 - for _, t := range types { 257 257 - fmt.Fprintf(&buf, "\tlexutil.RegisterType(%q, &%s{})\n", t.NSID, t.TypeName) 258 258 - } 259 259 - 260 260 - buf.WriteString("}\n") 261 261 - 262 262 - outPath := filepath.Join(pkgDir, "register.go") 263 263 - return os.WriteFile(outPath, buf.Bytes(), 0644) 264 264 - } 265 265 - 266 266 - func findRepoRoot() (string, error) { 267 267 - dir, err := os.Getwd() 268 268 - if err != nil { 269 269 - return "", err 270 270 - } 271 271 - 272 272 - for { 273 273 - if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil { 274 274 - return dir, nil 275 275 - } 276 276 - parent := filepath.Dir(dir) 277 277 - if parent == dir { 278 278 - return "", fmt.Errorf("go.mod not found") 279 279 - } 280 280 - dir = parent 281 281 - } 282 282 - }

-24

pkg/atproto/holdcaptain.go

··· 1 1 - // Code generated by generate.go; DO NOT EDIT. 2 2 - 3 3 - // Lexicon schema: io.atcr.hold.captain 4 4 - 5 5 - package atproto 6 6 - 7 7 - // Represents the hold's ownership and metadata. Stored as a singleton record at rkey 'self' in the hold's embedded PDS. 8 8 - type HoldCaptain struct { 9 9 - LexiconTypeID string `json:"$type" cborgen:"$type,const=io.atcr.hold.captain"` 10 10 - // allowAllCrew: Allow any authenticated user to register as crew 11 11 - AllowAllCrew bool `json:"allowAllCrew" cborgen:"allowAllCrew"` 12 12 - // deployedAt: RFC3339 timestamp of when the hold was deployed 13 13 - DeployedAt string `json:"deployedAt" cborgen:"deployedAt"` 14 14 - // enableBlueskyPosts: Enable Bluesky posts when manifests are pushed 15 15 - EnableBlueskyPosts bool `json:"enableBlueskyPosts" cborgen:"enableBlueskyPosts"` 16 16 - // owner: DID of the hold owner 17 17 - Owner string `json:"owner" cborgen:"owner"` 18 18 - // provider: Deployment provider (e.g., fly.io, aws, etc.) 19 19 - Provider *string `json:"provider,omitempty" cborgen:"provider,omitempty"` 20 20 - // public: Whether this hold allows public blob reads (pulls) without authentication 21 21 - Public bool `json:"public" cborgen:"public"` 22 22 - // region: S3 region where blobs are stored 23 23 - Region *string `json:"region,omitempty" cborgen:"region,omitempty"` 24 24 - }

-18

pkg/atproto/holdcrew.go

··· 1 1 - // Code generated by generate.go; DO NOT EDIT. 2 2 - 3 3 - // Lexicon schema: io.atcr.hold.crew 4 4 - 5 5 - package atproto 6 6 - 7 7 - // Crew member in a hold's embedded PDS. Grants access permissions to push blobs to the hold. Stored in the hold's embedded PDS (one record per member). 8 8 - type HoldCrew struct { 9 9 - LexiconTypeID string `json:"$type" cborgen:"$type,const=io.atcr.hold.crew"` 10 10 - // addedAt: RFC3339 timestamp of when the member was added 11 11 - AddedAt string `json:"addedAt" cborgen:"addedAt"` 12 12 - // member: DID of the crew member 13 13 - Member string `json:"member" cborgen:"member"` 14 14 - // permissions: Specific permissions granted to this member 15 15 - Permissions []string `json:"permissions" cborgen:"permissions"` 16 16 - // role: Member's role in the hold 17 17 - Role string `json:"role" cborgen:"role"` 18 18 - }

-24

pkg/atproto/holdlayer.go

··· 1 1 - // Code generated by generate.go; DO NOT EDIT. 2 2 - 3 3 - // Lexicon schema: io.atcr.hold.layer 4 4 - 5 5 - package atproto 6 6 - 7 7 - // Represents metadata about a container layer stored in the hold. Stored in the hold's embedded PDS for tracking and analytics. 8 8 - type HoldLayer struct { 9 9 - LexiconTypeID string `json:"$type" cborgen:"$type,const=io.atcr.hold.layer"` 10 10 - // createdAt: RFC3339 timestamp of when the layer was uploaded 11 11 - CreatedAt string `json:"createdAt" cborgen:"createdAt"` 12 12 - // digest: Layer digest (e.g., sha256:abc123...) 13 13 - Digest string `json:"digest" cborgen:"digest"` 14 14 - // mediaType: Media type (e.g., application/vnd.oci.image.layer.v1.tar+gzip) 15 15 - MediaType string `json:"mediaType" cborgen:"mediaType"` 16 16 - // repository: Repository this layer belongs to 17 17 - Repository string `json:"repository" cborgen:"repository"` 18 18 - // size: Size in bytes 19 19 - Size int64 `json:"size" cborgen:"size"` 20 20 - // userDid: DID of user who uploaded this layer 21 21 - UserDid string `json:"userDid" cborgen:"userDid"` 22 22 - // userHandle: Handle of user (for display purposes) 23 23 - UserHandle string `json:"userHandle" cborgen:"userHandle"` 24 24 - }

+40 -17

pkg/atproto/lexicon.go

··· 18 18 // TagCollection is the collection name for image tags 19 19 TagCollection = "io.atcr.tag" 20 20 21 21 - // HoldCollection is the collection name for storage holds (BYOS) 22 22 - HoldCollection = "io.atcr.hold" 23 23 - 24 21 // HoldCrewCollection is the collection name for hold crew (membership) - LEGACY BYOS model 25 22 // Stored in owner's PDS for BYOS holds 26 23 HoldCrewCollection = "io.atcr.hold.crew" ··· 41 38 // TangledProfileCollection is the collection name for tangled profiles 42 39 // Stored in hold's embedded PDS (singleton record at rkey "self") 43 40 TangledProfileCollection = "sh.tangled.actor.profile" 44 44 - 45 45 - // BskyPostCollection is the collection name for Bluesky posts 46 46 - BskyPostCollection = "app.bsky.feed.post" 47 41 48 42 // BskyPostCollection is the collection name for Bluesky posts 49 43 BskyPostCollection = "app.bsky.feed.post" ··· 53 47 54 48 // StarCollection is the collection name for repository stars 55 49 StarCollection = "io.atcr.sailor.star" 50 50 + 51 51 + // RepoPageCollection is the collection name for repository page metadata 52 52 + // Stored in user's PDS with rkey = repository name 53 53 + RepoPageCollection = "io.atcr.repo.page" 56 54 ) 57 55 58 56 // ManifestRecord represents a container image manifest stored in ATProto ··· 312 310 CreatedAt time.Time `json:"createdAt"` 313 311 } 314 312 315 315 - // NewHoldRecord creates a new hold record 316 316 - func NewHoldRecord(endpoint, owner string, public bool) *HoldRecord { 317 317 - return &HoldRecord{ 318 318 - Type: HoldCollection, 319 319 - Endpoint: endpoint, 320 320 - Owner: owner, 321 321 - Public: public, 322 322 - CreatedAt: time.Now(), 323 323 - } 324 324 - } 325 325 - 326 313 // SailorProfileRecord represents a user's profile with registry preferences 327 314 // Stored in the user's PDS to configure default hold and other settings 328 315 type SailorProfileRecord struct { ··· 348 335 return &SailorProfileRecord{ 349 336 Type: SailorProfileCollection, 350 337 DefaultHold: defaultHold, 338 338 + CreatedAt: now, 339 339 + UpdatedAt: now, 340 340 + } 341 341 + } 342 342 + 343 343 + // RepoPageRecord represents repository page metadata (description + avatar) 344 344 + // Stored in the user's PDS with rkey = repository name 345 345 + // Users can edit this directly in their PDS to customize their repository page 346 346 + type RepoPageRecord struct { 347 347 + // Type should be "io.atcr.repo.page" 348 348 + Type string `json:"$type"` 349 349 + 350 350 + // Repository is the name of the repository (e.g., "myapp") 351 351 + Repository string `json:"repository"` 352 352 + 353 353 + // Description is the markdown README/description content 354 354 + Description string `json:"description,omitempty"` 355 355 + 356 356 + // Avatar is the repository avatar/icon blob reference 357 357 + Avatar *ATProtoBlobRef `json:"avatar,omitempty"` 358 358 + 359 359 + // CreatedAt timestamp 360 360 + CreatedAt time.Time `json:"createdAt"` 361 361 + 362 362 + // UpdatedAt timestamp 363 363 + UpdatedAt time.Time `json:"updatedAt"` 364 364 + } 365 365 + 366 366 + // NewRepoPageRecord creates a new repo page record 367 367 + func NewRepoPageRecord(repository, description string, avatar *ATProtoBlobRef) *RepoPageRecord { 368 368 + now := time.Now() 369 369 + return &RepoPageRecord{ 370 370 + Type: RepoPageCollection, 371 371 + Repository: repository, 372 372 + Description: description, 373 373 + Avatar: avatar, 351 374 CreatedAt: now, 352 375 UpdatedAt: now, 353 376 }

-18

pkg/atproto/lexicon_embedded.go

··· 1 1 - package atproto 2 2 - 3 3 - // This file contains ATProto record types that are NOT generated from our lexicons. 4 4 - // These are either external schemas or special types that require manual definition. 5 5 - 6 6 - // TangledProfileRecord represents a Tangled profile for the hold 7 7 - // Collection: sh.tangled.actor.profile (external schema - not controlled by ATCR) 8 8 - // Stored in hold's embedded PDS (singleton record at rkey "self") 9 9 - // Uses CBOR encoding for efficient storage in hold's carstore 10 10 - type TangledProfileRecord struct { 11 11 - Type string `json:"$type" cborgen:"$type"` 12 12 - Links []string `json:"links" cborgen:"links"` 13 13 - Stats []string `json:"stats" cborgen:"stats"` 14 14 - Bluesky bool `json:"bluesky" cborgen:"bluesky"` 15 15 - Location string `json:"location" cborgen:"location"` 16 16 - Description string `json:"description" cborgen:"description"` 17 17 - PinnedRepositories []string `json:"pinnedRepositories" cborgen:"pinnedRepositories"` 18 18 - }

-360

pkg/atproto/lexicon_helpers.go

··· 1 1 - package atproto 2 2 - 3 3 - //go:generate go run generate.go 4 4 - 5 5 - import ( 6 6 - "encoding/base64" 7 7 - "encoding/json" 8 8 - "fmt" 9 9 - "strings" 10 10 - "time" 11 11 - ) 12 12 - 13 13 - // Collection names for ATProto records 14 14 - const ( 15 15 - // ManifestCollection is the collection name for container manifests 16 16 - ManifestCollection = "io.atcr.manifest" 17 17 - 18 18 - // TagCollection is the collection name for image tags 19 19 - TagCollection = "io.atcr.tag" 20 20 - 21 21 - // HoldCollection is the collection name for storage holds (BYOS) - LEGACY 22 22 - HoldCollection = "io.atcr.hold" 23 23 - 24 24 - // HoldCrewCollection is the collection name for hold crew (membership) - LEGACY BYOS model 25 25 - // Stored in owner's PDS for BYOS holds 26 26 - HoldCrewCollection = "io.atcr.hold.crew" 27 27 - 28 28 - // CaptainCollection is the collection name for captain records (hold ownership) - EMBEDDED PDS model 29 29 - // Stored in hold's embedded PDS (singleton record at rkey "self") 30 30 - CaptainCollection = "io.atcr.hold.captain" 31 31 - 32 32 - // CrewCollection is the collection name for crew records (access control) - EMBEDDED PDS model 33 33 - // Stored in hold's embedded PDS (one record per member) 34 34 - // Note: Uses same collection name as HoldCrewCollection but stored in different PDS (hold's PDS vs owner's PDS) 35 35 - CrewCollection = "io.atcr.hold.crew" 36 36 - 37 37 - // LayerCollection is the collection name for container layer metadata 38 38 - // Stored in hold's embedded PDS to track which layers are stored 39 39 - LayerCollection = "io.atcr.hold.layer" 40 40 - 41 41 - // TangledProfileCollection is the collection name for tangled profiles 42 42 - // Stored in hold's embedded PDS (singleton record at rkey "self") 43 43 - TangledProfileCollection = "sh.tangled.actor.profile" 44 44 - 45 45 - // BskyPostCollection is the collection name for Bluesky posts 46 46 - BskyPostCollection = "app.bsky.feed.post" 47 47 - 48 48 - // SailorProfileCollection is the collection name for user profiles 49 49 - SailorProfileCollection = "io.atcr.sailor.profile" 50 50 - 51 51 - // StarCollection is the collection name for repository stars 52 52 - StarCollection = "io.atcr.sailor.star" 53 53 - ) 54 54 - 55 55 - // NewManifestRecord creates a new manifest record from OCI manifest JSON 56 56 - func NewManifestRecord(repository, digest string, ociManifest []byte) (*Manifest, error) { 57 57 - // Parse the OCI manifest 58 58 - var ociData struct { 59 59 - SchemaVersion int `json:"schemaVersion"` 60 60 - MediaType string `json:"mediaType"` 61 61 - Config json.RawMessage `json:"config,omitempty"` 62 62 - Layers []json.RawMessage `json:"layers,omitempty"` 63 63 - Manifests []json.RawMessage `json:"manifests,omitempty"` 64 64 - Subject json.RawMessage `json:"subject,omitempty"` 65 65 - Annotations map[string]string `json:"annotations,omitempty"` 66 66 - } 67 67 - 68 68 - if err := json.Unmarshal(ociManifest, &ociData); err != nil { 69 69 - return nil, err 70 70 - } 71 71 - 72 72 - // Detect manifest type based on media type 73 73 - isManifestList := strings.Contains(ociData.MediaType, "manifest.list") || 74 74 - strings.Contains(ociData.MediaType, "image.index") 75 75 - 76 76 - // Validate: must have either (config+layers) OR (manifests), never both 77 77 - hasImageFields := len(ociData.Config) > 0 || len(ociData.Layers) > 0 78 78 - hasIndexFields := len(ociData.Manifests) > 0 79 79 - 80 80 - if hasImageFields && hasIndexFields { 81 81 - return nil, fmt.Errorf("manifest cannot have both image fields (config/layers) and index fields (manifests)") 82 82 - } 83 83 - if !hasImageFields && !hasIndexFields { 84 84 - return nil, fmt.Errorf("manifest must have either image fields (config/layers) or index fields (manifests)") 85 85 - } 86 86 - 87 87 - record := &Manifest{ 88 88 - LexiconTypeID: ManifestCollection, 89 89 - Repository: repository, 90 90 - Digest: digest, 91 91 - MediaType: ociData.MediaType, 92 92 - SchemaVersion: int64(ociData.SchemaVersion), 93 93 - // ManifestBlob will be set by the caller after uploading to blob storage 94 94 - CreatedAt: time.Now().Format(time.RFC3339), 95 95 - } 96 96 - 97 97 - // Handle annotations - Manifest_Annotations is an empty struct in generated code 98 98 - // We don't copy ociData.Annotations since the generated type doesn't support arbitrary keys 99 99 - 100 100 - if isManifestList { 101 101 - // Parse manifest list/index 102 102 - record.Manifests = make([]Manifest_ManifestReference, len(ociData.Manifests)) 103 103 - for i, m := range ociData.Manifests { 104 104 - var ref struct { 105 105 - MediaType string `json:"mediaType"` 106 106 - Digest string `json:"digest"` 107 107 - Size int64 `json:"size"` 108 108 - Platform *Manifest_Platform `json:"platform,omitempty"` 109 109 - Annotations map[string]string `json:"annotations,omitempty"` 110 110 - } 111 111 - if err := json.Unmarshal(m, &ref); err != nil { 112 112 - return nil, fmt.Errorf("failed to parse manifest reference %d: %w", i, err) 113 113 - } 114 114 - record.Manifests[i] = Manifest_ManifestReference{ 115 115 - MediaType: ref.MediaType, 116 116 - Digest: ref.Digest, 117 117 - Size: ref.Size, 118 118 - Platform: ref.Platform, 119 119 - } 120 120 - } 121 121 - } else { 122 122 - // Parse image manifest 123 123 - if len(ociData.Config) > 0 { 124 124 - var config Manifest_BlobReference 125 125 - if err := json.Unmarshal(ociData.Config, &config); err != nil { 126 126 - return nil, fmt.Errorf("failed to parse config: %w", err) 127 127 - } 128 128 - record.Config = &config 129 129 - } 130 130 - 131 131 - // Parse layers 132 132 - record.Layers = make([]Manifest_BlobReference, len(ociData.Layers)) 133 133 - for i, layer := range ociData.Layers { 134 134 - if err := json.Unmarshal(layer, &record.Layers[i]); err != nil { 135 135 - return nil, fmt.Errorf("failed to parse layer %d: %w", i, err) 136 136 - } 137 137 - } 138 138 - } 139 139 - 140 140 - // Parse subject if present (works for both types) 141 141 - if len(ociData.Subject) > 0 { 142 142 - var subject Manifest_BlobReference 143 143 - if err := json.Unmarshal(ociData.Subject, &subject); err != nil { 144 144 - return nil, err 145 145 - } 146 146 - record.Subject = &subject 147 147 - } 148 148 - 149 149 - return record, nil 150 150 - } 151 151 - 152 152 - // NewTagRecord creates a new tag record with manifest AT-URI 153 153 - // did: The DID of the user (e.g., "did:plc:xyz123") 154 154 - // repository: The repository name (e.g., "myapp") 155 155 - // tag: The tag name (e.g., "latest", "v1.0.0") 156 156 - // manifestDigest: The manifest digest (e.g., "sha256:abc123...") 157 157 - func NewTagRecord(did, repository, tag, manifestDigest string) *Tag { 158 158 - // Build AT-URI for the manifest 159 159 - // Format: at://did:plc:xyz/io.atcr.manifest/<digest-without-sha256-prefix> 160 160 - manifestURI := BuildManifestURI(did, manifestDigest) 161 161 - 162 162 - return &Tag{ 163 163 - LexiconTypeID: TagCollection, 164 164 - Repository: repository, 165 165 - Tag: tag, 166 166 - Manifest: &manifestURI, 167 167 - // Note: ManifestDigest is not set for new records (only for backward compat with old records) 168 168 - CreatedAt: time.Now().Format(time.RFC3339), 169 169 - } 170 170 - } 171 171 - 172 172 - // NewSailorProfileRecord creates a new sailor profile record 173 173 - func NewSailorProfileRecord(defaultHold string) *SailorProfile { 174 174 - now := time.Now().Format(time.RFC3339) 175 175 - var holdPtr *string 176 176 - if defaultHold != "" { 177 177 - holdPtr = &defaultHold 178 178 - } 179 179 - return &SailorProfile{ 180 180 - LexiconTypeID: SailorProfileCollection, 181 181 - DefaultHold: holdPtr, 182 182 - CreatedAt: now, 183 183 - UpdatedAt: &now, 184 184 - } 185 185 - } 186 186 - 187 187 - // NewStarRecord creates a new star record 188 188 - func NewStarRecord(ownerDID, repository string) *SailorStar { 189 189 - return &SailorStar{ 190 190 - LexiconTypeID: StarCollection, 191 191 - Subject: SailorStar_Subject{ 192 192 - Did: ownerDID, 193 193 - Repository: repository, 194 194 - }, 195 195 - CreatedAt: time.Now().Format(time.RFC3339), 196 196 - } 197 197 - } 198 198 - 199 199 - // NewLayerRecord creates a new layer record 200 200 - func NewLayerRecord(digest string, size int64, mediaType, repository, userDID, userHandle string) *HoldLayer { 201 201 - return &HoldLayer{ 202 202 - LexiconTypeID: LayerCollection, 203 203 - Digest: digest, 204 204 - Size: size, 205 205 - MediaType: mediaType, 206 206 - Repository: repository, 207 207 - UserDid: userDID, 208 208 - UserHandle: userHandle, 209 209 - CreatedAt: time.Now().Format(time.RFC3339), 210 210 - } 211 211 - } 212 212 - 213 213 - // StarRecordKey generates a record key for a star 214 214 - // Uses a simple hash to ensure uniqueness and prevent duplicate stars 215 215 - func StarRecordKey(ownerDID, repository string) string { 216 216 - // Use base64 encoding of "ownerDID/repository" as the record key 217 217 - // This is deterministic and prevents duplicate stars 218 218 - combined := ownerDID + "/" + repository 219 219 - return base64.RawURLEncoding.EncodeToString([]byte(combined)) 220 220 - } 221 221 - 222 222 - // ParseStarRecordKey decodes a star record key back to ownerDID and repository 223 223 - func ParseStarRecordKey(rkey string) (ownerDID, repository string, err error) { 224 224 - decoded, err := base64.RawURLEncoding.DecodeString(rkey) 225 225 - if err != nil { 226 226 - return "", "", fmt.Errorf("failed to decode star rkey: %w", err) 227 227 - } 228 228 - 229 229 - parts := strings.SplitN(string(decoded), "/", 2) 230 230 - if len(parts) != 2 { 231 231 - return "", "", fmt.Errorf("invalid star rkey format: %s", string(decoded)) 232 232 - } 233 233 - 234 234 - return parts[0], parts[1], nil 235 235 - } 236 236 - 237 237 - // ResolveHoldDIDFromURL converts a hold endpoint URL to a did:web DID 238 238 - // This ensures that different representations of the same hold are deduplicated: 239 239 - // - http://172.28.0.3:8080 → did:web:172.28.0.3:8080 240 240 - // - http://hold01.atcr.io → did:web:hold01.atcr.io 241 241 - // - https://hold01.atcr.io → did:web:hold01.atcr.io 242 242 - // - did:web:hold01.atcr.io → did:web:hold01.atcr.io (passthrough) 243 243 - func ResolveHoldDIDFromURL(holdURL string) string { 244 244 - // Handle empty URLs 245 245 - if holdURL == "" { 246 246 - return "" 247 247 - } 248 248 - 249 249 - // If already a DID, return as-is 250 250 - if IsDID(holdURL) { 251 251 - return holdURL 252 252 - } 253 253 - 254 254 - // Parse URL to get hostname 255 255 - holdURL = strings.TrimPrefix(holdURL, "http://") 256 256 - holdURL = strings.TrimPrefix(holdURL, "https://") 257 257 - holdURL = strings.TrimSuffix(holdURL, "/") 258 258 - 259 259 - // Extract hostname (remove path if present) 260 260 - parts := strings.Split(holdURL, "/") 261 261 - hostname := parts[0] 262 262 - 263 263 - // Convert to did:web 264 264 - // did:web uses hostname directly (port included if non-standard) 265 265 - return "did:web:" + hostname 266 266 - } 267 267 - 268 268 - // IsDID checks if a string is a DID (starts with "did:") 269 269 - func IsDID(s string) bool { 270 270 - return len(s) > 4 && s[:4] == "did:" 271 271 - } 272 272 - 273 273 - // RepositoryTagToRKey converts a repository and tag to an ATProto record key 274 274 - // ATProto record keys must match: ^[a-zA-Z0-9._~-]{1,512}$ 275 275 - func RepositoryTagToRKey(repository, tag string) string { 276 276 - // Combine repository and tag to create a unique key 277 277 - // Replace invalid characters: slashes become tildes (~) 278 278 - // We use tilde instead of dash to avoid ambiguity with repository names that contain hyphens 279 279 - key := fmt.Sprintf("%s_%s", repository, tag) 280 280 - 281 281 - // Replace / with ~ (slash not allowed in rkeys, tilde is allowed and unlikely in repo names) 282 282 - key = strings.ReplaceAll(key, "/", "~") 283 283 - 284 284 - return key 285 285 - } 286 286 - 287 287 - // RKeyToRepositoryTag converts an ATProto record key back to repository and tag 288 288 - // This is the inverse of RepositoryTagToRKey 289 289 - // Note: If the tag contains underscores, this will split on the LAST underscore 290 290 - func RKeyToRepositoryTag(rkey string) (repository, tag string) { 291 291 - // Find the last underscore to split repository and tag 292 292 - lastUnderscore := strings.LastIndex(rkey, "_") 293 293 - if lastUnderscore == -1 { 294 294 - // No underscore found - treat entire string as tag with empty repository 295 295 - return "", rkey 296 296 - } 297 297 - 298 298 - repository = rkey[:lastUnderscore] 299 299 - tag = rkey[lastUnderscore+1:] 300 300 - 301 301 - // Convert tildes back to slashes in repository (tilde was used to encode slashes) 302 302 - repository = strings.ReplaceAll(repository, "~", "/") 303 303 - 304 304 - return repository, tag 305 305 - } 306 306 - 307 307 - // BuildManifestURI creates an AT-URI for a manifest record 308 308 - // did: The DID of the user (e.g., "did:plc:xyz123") 309 309 - // manifestDigest: The manifest digest (e.g., "sha256:abc123...") 310 310 - // Returns: AT-URI in format "at://did:plc:xyz/io.atcr.manifest/<digest-without-sha256-prefix>" 311 311 - func BuildManifestURI(did, manifestDigest string) string { 312 312 - // Remove the "sha256:" prefix from the digest to get the rkey 313 313 - rkey := strings.TrimPrefix(manifestDigest, "sha256:") 314 314 - return fmt.Sprintf("at://%s/%s/%s", did, ManifestCollection, rkey) 315 315 - } 316 316 - 317 317 - // ParseManifestURI extracts the digest from a manifest AT-URI 318 318 - // manifestURI: AT-URI in format "at://did:plc:xyz/io.atcr.manifest/<digest-without-sha256-prefix>" 319 319 - // Returns: Full digest with "sha256:" prefix (e.g., "sha256:abc123...") 320 320 - func ParseManifestURI(manifestURI string) (string, error) { 321 321 - // Expected format: at://did:plc:xyz/io.atcr.manifest/<rkey> 322 322 - if !strings.HasPrefix(manifestURI, "at://") { 323 323 - return "", fmt.Errorf("invalid AT-URI format: must start with 'at://'") 324 324 - } 325 325 - 326 326 - // Remove "at://" prefix 327 327 - remainder := strings.TrimPrefix(manifestURI, "at://") 328 328 - 329 329 - // Split by "/" 330 330 - parts := strings.Split(remainder, "/") 331 331 - if len(parts) != 3 { 332 332 - return "", fmt.Errorf("invalid AT-URI format: expected 3 parts (did/collection/rkey), got %d", len(parts)) 333 333 - } 334 334 - 335 335 - // Validate collection 336 336 - if parts[1] != ManifestCollection { 337 337 - return "", fmt.Errorf("invalid AT-URI: expected collection %s, got %s", ManifestCollection, parts[1]) 338 338 - } 339 339 - 340 340 - // The rkey is the digest without the "sha256:" prefix 341 341 - // Add it back to get the full digest 342 342 - rkey := parts[2] 343 343 - return "sha256:" + rkey, nil 344 344 - } 345 345 - 346 346 - // GetManifestDigest extracts the digest from a Tag, preferring the manifest field 347 347 - // Returns the digest with "sha256:" prefix (e.g., "sha256:abc123...") 348 348 - func (t *Tag) GetManifestDigest() (string, error) { 349 349 - // Prefer the new manifest field 350 350 - if t.Manifest != nil && *t.Manifest != "" { 351 351 - return ParseManifestURI(*t.Manifest) 352 352 - } 353 353 - 354 354 - // Fall back to the legacy manifestDigest field 355 355 - if t.ManifestDigest != nil && *t.ManifestDigest != "" { 356 356 - return *t.ManifestDigest, nil 357 357 - } 358 358 - 359 359 - return "", fmt.Errorf("tag record has neither manifest nor manifestDigest field") 360 360 - }

+215 -109

pkg/atproto/lexicon_test.go

··· 104 104 digest string 105 105 ociManifest string 106 106 wantErr bool 107 107 - checkFunc func(*testing.T, *Manifest) 107 107 + checkFunc func(*testing.T, *ManifestRecord) 108 108 }{ 109 109 { 110 110 name: "valid OCI manifest", ··· 112 112 digest: "sha256:abc123", 113 113 ociManifest: validOCIManifest, 114 114 wantErr: false, 115 115 - checkFunc: func(t *testing.T, record *Manifest) { 116 116 - if record.LexiconTypeID != ManifestCollection { 117 117 - t.Errorf("LexiconTypeID = %v, want %v", record.LexiconTypeID, ManifestCollection) 115 115 + checkFunc: func(t *testing.T, record *ManifestRecord) { 116 116 + if record.Type != ManifestCollection { 117 117 + t.Errorf("Type = %v, want %v", record.Type, ManifestCollection) 118 118 } 119 119 if record.Repository != "myapp" { 120 120 t.Errorf("Repository = %v, want myapp", record.Repository) ··· 143 143 if record.Layers[1].Digest != "sha256:layer2" { 144 144 t.Errorf("Layers[1].Digest = %v, want sha256:layer2", record.Layers[1].Digest) 145 145 } 146 146 - // Note: Annotations are not copied to generated type (empty struct) 147 147 - if record.CreatedAt == "" { 148 148 - t.Error("CreatedAt should not be empty") 146 146 + if record.Annotations["org.opencontainers.image.created"] != "2025-01-01T00:00:00Z" { 147 147 + t.Errorf("Annotations missing expected key") 148 148 + } 149 149 + if record.CreatedAt.IsZero() { 150 150 + t.Error("CreatedAt should not be zero") 149 151 } 150 152 if record.Subject != nil { 151 153 t.Error("Subject should be nil") ··· 158 160 digest: "sha256:abc123", 159 161 ociManifest: manifestWithSubject, 160 162 wantErr: false, 161 161 - checkFunc: func(t *testing.T, record *Manifest) { 163 163 + checkFunc: func(t *testing.T, record *ManifestRecord) { 162 164 if record.Subject == nil { 163 165 t.Fatal("Subject should not be nil") 164 166 } ··· 190 192 digest: "sha256:multiarch", 191 193 ociManifest: manifestList, 192 194 wantErr: false, 193 193 - checkFunc: func(t *testing.T, record *Manifest) { 195 195 + checkFunc: func(t *testing.T, record *ManifestRecord) { 194 196 if record.MediaType != "application/vnd.oci.image.index.v1+json" { 195 197 t.Errorf("MediaType = %v, want application/vnd.oci.image.index.v1+json", record.MediaType) 196 198 } ··· 217 219 if record.Manifests[0].Platform.Architecture != "amd64" { 218 220 t.Errorf("Platform.Architecture = %v, want amd64", record.Manifests[0].Platform.Architecture) 219 221 } 220 220 - if record.Manifests[0].Platform.Os != "linux" { 221 221 - t.Errorf("Platform.Os = %v, want linux", record.Manifests[0].Platform.Os) 222 222 + if record.Manifests[0].Platform.OS != "linux" { 223 223 + t.Errorf("Platform.OS = %v, want linux", record.Manifests[0].Platform.OS) 222 224 } 223 225 224 226 // Check second manifest (arm64) ··· 228 230 if record.Manifests[1].Platform.Architecture != "arm64" { 229 231 t.Errorf("Platform.Architecture = %v, want arm64", record.Manifests[1].Platform.Architecture) 230 232 } 231 231 - if record.Manifests[1].Platform.Variant == nil || *record.Manifests[1].Platform.Variant != "v8" { 233 233 + if record.Manifests[1].Platform.Variant != "v8" { 232 234 t.Errorf("Platform.Variant = %v, want v8", record.Manifests[1].Platform.Variant) 233 235 } 234 236 }, ··· 266 268 267 269 func TestNewTagRecord(t *testing.T) { 268 270 did := "did:plc:test123" 269 269 - // Truncate to second precision since RFC3339 doesn't have sub-second precision 270 270 - before := time.Now().Truncate(time.Second) 271 271 + before := time.Now() 271 272 record := NewTagRecord(did, "myapp", "latest", "sha256:abc123") 272 272 - after := time.Now().Truncate(time.Second).Add(time.Second) 273 273 + after := time.Now() 273 274 274 274 - if record.LexiconTypeID != TagCollection { 275 275 - t.Errorf("LexiconTypeID = %v, want %v", record.LexiconTypeID, TagCollection) 275 275 + if record.Type != TagCollection { 276 276 + t.Errorf("Type = %v, want %v", record.Type, TagCollection) 276 277 } 277 278 278 279 if record.Repository != "myapp" { ··· 285 286 286 287 // New records should have manifest field (AT-URI) 287 288 expectedURI := "at://did:plc:test123/io.atcr.manifest/abc123" 288 288 - if record.Manifest == nil || *record.Manifest != expectedURI { 289 289 + if record.Manifest != expectedURI { 289 290 t.Errorf("Manifest = %v, want %v", record.Manifest, expectedURI) 290 291 } 291 292 292 293 // New records should NOT have manifestDigest field 293 293 - if record.ManifestDigest != nil && *record.ManifestDigest != "" { 294 294 - t.Errorf("ManifestDigest should be nil for new records, got %v", record.ManifestDigest) 294 294 + if record.ManifestDigest != "" { 295 295 + t.Errorf("ManifestDigest should be empty for new records, got %v", record.ManifestDigest) 295 296 } 296 297 297 297 - createdAt, err := time.Parse(time.RFC3339, record.CreatedAt) 298 298 - if err != nil { 299 299 - t.Errorf("CreatedAt is not valid RFC3339: %v", err) 300 300 - } 301 301 - if createdAt.Before(before) || createdAt.After(after) { 302 302 - t.Errorf("CreatedAt = %v, want between %v and %v", createdAt, before, after) 298 298 + if record.UpdatedAt.Before(before) || record.UpdatedAt.After(after) { 299 299 + t.Errorf("UpdatedAt = %v, want between %v and %v", record.UpdatedAt, before, after) 303 300 } 304 301 } 305 302 ··· 394 391 } 395 392 396 393 func TestTagRecord_GetManifestDigest(t *testing.T) { 397 397 - manifestURI := "at://did:plc:test123/io.atcr.manifest/abc123" 398 398 - digestValue := "sha256:def456" 399 399 - 400 394 tests := []struct { 401 395 name string 402 402 - record Tag 396 396 + record TagRecord 403 397 want string 404 398 wantErr bool 405 399 }{ 406 400 { 407 401 name: "new record with manifest field", 408 408 - record: Tag{ 409 409 - Manifest: &manifestURI, 402 402 + record: TagRecord{ 403 403 + Manifest: "at://did:plc:test123/io.atcr.manifest/abc123", 410 404 }, 411 405 want: "sha256:abc123", 412 406 wantErr: false, 413 407 }, 414 408 { 415 409 name: "old record with manifestDigest field", 416 416 - record: Tag{ 417 417 - ManifestDigest: &digestValue, 410 410 + record: TagRecord{ 411 411 + ManifestDigest: "sha256:def456", 418 412 }, 419 413 want: "sha256:def456", 420 414 wantErr: false, 421 415 }, 422 416 { 423 417 name: "prefers manifest over manifestDigest", 424 424 - record: Tag{ 425 425 - Manifest: &manifestURI, 426 426 - ManifestDigest: &digestValue, 418 418 + record: TagRecord{ 419 419 + Manifest: "at://did:plc:test123/io.atcr.manifest/abc123", 420 420 + ManifestDigest: "sha256:def456", 427 421 }, 428 422 want: "sha256:abc123", 429 423 wantErr: false, 430 424 }, 431 425 { 432 426 name: "no fields set", 433 433 - record: Tag{}, 427 427 + record: TagRecord{}, 434 428 want: "", 435 429 wantErr: true, 436 430 }, 437 431 { 438 432 name: "invalid manifest URI", 439 439 - record: Tag{ 440 440 - Manifest: func() *string { s := "invalid-uri"; return &s }(), 433 433 + record: TagRecord{ 434 434 + Manifest: "invalid-uri", 441 435 }, 442 436 want: "", 443 437 wantErr: true, ··· 457 451 }) 458 452 } 459 453 } 460 460 - 461 461 - // TestNewHoldRecord is removed - HoldRecord is no longer supported (legacy BYOS) 462 454 463 455 func TestNewSailorProfileRecord(t *testing.T) { 464 456 tests := []struct { ··· 481 473 482 474 for _, tt := range tests { 483 475 t.Run(tt.name, func(t *testing.T) { 484 484 - // Truncate to second precision since RFC3339 doesn't have sub-second precision 485 485 - before := time.Now().Truncate(time.Second) 476 476 + before := time.Now() 486 477 record := NewSailorProfileRecord(tt.defaultHold) 487 487 - after := time.Now().Truncate(time.Second).Add(time.Second) 478 478 + after := time.Now() 488 479 489 489 - if record.LexiconTypeID != SailorProfileCollection { 490 490 - t.Errorf("LexiconTypeID = %v, want %v", record.LexiconTypeID, SailorProfileCollection) 480 480 + if record.Type != SailorProfileCollection { 481 481 + t.Errorf("Type = %v, want %v", record.Type, SailorProfileCollection) 491 482 } 492 483 493 493 - if tt.defaultHold == "" { 494 494 - if record.DefaultHold != nil { 495 495 - t.Errorf("DefaultHold = %v, want nil", record.DefaultHold) 496 496 - } 497 497 - } else { 498 498 - if record.DefaultHold == nil || *record.DefaultHold != tt.defaultHold { 499 499 - t.Errorf("DefaultHold = %v, want %v", record.DefaultHold, tt.defaultHold) 500 500 - } 484 484 + if record.DefaultHold != tt.defaultHold { 485 485 + t.Errorf("DefaultHold = %v, want %v", record.DefaultHold, tt.defaultHold) 501 486 } 502 487 503 503 - createdAt, err := time.Parse(time.RFC3339, record.CreatedAt) 504 504 - if err != nil { 505 505 - t.Errorf("CreatedAt is not valid RFC3339: %v", err) 488 488 + if record.CreatedAt.Before(before) || record.CreatedAt.After(after) { 489 489 + t.Errorf("CreatedAt = %v, want between %v and %v", record.CreatedAt, before, after) 506 490 } 507 507 - if createdAt.Before(before) || createdAt.After(after) { 508 508 - t.Errorf("CreatedAt = %v, want between %v and %v", createdAt, before, after) 491 491 + 492 492 + if record.UpdatedAt.Before(before) || record.UpdatedAt.After(after) { 493 493 + t.Errorf("UpdatedAt = %v, want between %v and %v", record.UpdatedAt, before, after) 509 494 } 510 495 511 511 - if record.UpdatedAt == nil { 512 512 - t.Error("UpdatedAt should not be nil") 513 513 - } else { 514 514 - updatedAt, err := time.Parse(time.RFC3339, *record.UpdatedAt) 515 515 - if err != nil { 516 516 - t.Errorf("UpdatedAt is not valid RFC3339: %v", err) 517 517 - } 518 518 - if updatedAt.Before(before) || updatedAt.After(after) { 519 519 - t.Errorf("UpdatedAt = %v, want between %v and %v", updatedAt, before, after) 520 520 - } 496 496 + // CreatedAt and UpdatedAt should be equal for new records 497 497 + if !record.CreatedAt.Equal(record.UpdatedAt) { 498 498 + t.Errorf("CreatedAt (%v) != UpdatedAt (%v)", record.CreatedAt, record.UpdatedAt) 521 499 } 522 500 }) 523 501 } 524 502 } 525 503 526 504 func TestNewStarRecord(t *testing.T) { 527 527 - // Truncate to second precision since RFC3339 doesn't have sub-second precision 528 528 - before := time.Now().Truncate(time.Second) 505 505 + before := time.Now() 529 506 record := NewStarRecord("did:plc:alice123", "myapp") 530 530 - after := time.Now().Truncate(time.Second).Add(time.Second) 507 507 + after := time.Now() 531 508 532 532 - if record.LexiconTypeID != StarCollection { 533 533 - t.Errorf("LexiconTypeID = %v, want %v", record.LexiconTypeID, StarCollection) 509 509 + if record.Type != StarCollection { 510 510 + t.Errorf("Type = %v, want %v", record.Type, StarCollection) 534 511 } 535 512 536 536 - if record.Subject.Did != "did:plc:alice123" { 537 537 - t.Errorf("Subject.Did = %v, want did:plc:alice123", record.Subject.Did) 513 513 + if record.Subject.DID != "did:plc:alice123" { 514 514 + t.Errorf("Subject.DID = %v, want did:plc:alice123", record.Subject.DID) 538 515 } 539 516 540 517 if record.Subject.Repository != "myapp" { 541 518 t.Errorf("Subject.Repository = %v, want myapp", record.Subject.Repository) 542 519 } 543 520 544 544 - createdAt, err := time.Parse(time.RFC3339, record.CreatedAt) 545 545 - if err != nil { 546 546 - t.Errorf("CreatedAt is not valid RFC3339: %v", err) 547 547 - } 548 548 - if createdAt.Before(before) || createdAt.After(after) { 549 549 - t.Errorf("CreatedAt = %v, want between %v and %v", createdAt, before, after) 521 521 + if record.CreatedAt.Before(before) || record.CreatedAt.After(after) { 522 522 + t.Errorf("CreatedAt = %v, want between %v and %v", record.CreatedAt, before, after) 550 523 } 551 524 } 552 525 ··· 834 807 } 835 808 836 809 // Add hold DID 837 837 - holdDID := "did:web:hold01.atcr.io" 838 838 - record.HoldDid = &holdDID 810 810 + record.HoldDID = "did:web:hold01.atcr.io" 839 811 840 812 // Serialize to JSON 841 813 jsonData, err := json.Marshal(record) ··· 844 816 } 845 817 846 818 // Deserialize from JSON 847 847 - var decoded Manifest 819 819 + var decoded ManifestRecord 848 820 if err := json.Unmarshal(jsonData, &decoded); err != nil { 849 821 t.Fatalf("json.Unmarshal() error = %v", err) 850 822 } 851 823 852 824 // Verify fields 853 853 - if decoded.LexiconTypeID != record.LexiconTypeID { 854 854 - t.Errorf("LexiconTypeID = %v, want %v", decoded.LexiconTypeID, record.LexiconTypeID) 825 825 + if decoded.Type != record.Type { 826 826 + t.Errorf("Type = %v, want %v", decoded.Type, record.Type) 855 827 } 856 828 if decoded.Repository != record.Repository { 857 829 t.Errorf("Repository = %v, want %v", decoded.Repository, record.Repository) ··· 859 831 if decoded.Digest != record.Digest { 860 832 t.Errorf("Digest = %v, want %v", decoded.Digest, record.Digest) 861 833 } 862 862 - if decoded.HoldDid == nil || *decoded.HoldDid != *record.HoldDid { 863 863 - t.Errorf("HoldDid = %v, want %v", decoded.HoldDid, record.HoldDid) 834 834 + if decoded.HoldDID != record.HoldDID { 835 835 + t.Errorf("HoldDID = %v, want %v", decoded.HoldDID, record.HoldDID) 864 836 } 865 837 if decoded.Config.Digest != record.Config.Digest { 866 838 t.Errorf("Config.Digest = %v, want %v", decoded.Config.Digest, record.Config.Digest) ··· 871 843 } 872 844 873 845 func TestBlobReference_JSONSerialization(t *testing.T) { 874 874 - blob := Manifest_BlobReference{ 846 846 + blob := BlobReference{ 875 847 MediaType: "application/vnd.oci.image.layer.v1.tar+gzip", 876 848 Digest: "sha256:abc123", 877 849 Size: 12345, 878 878 - Urls: []string{"https://s3.example.com/blob"}, 879 879 - // Note: Annotations is now an empty struct, not a map 850 850 + URLs: []string{"https://s3.example.com/blob"}, 851 851 + Annotations: map[string]string{ 852 852 + "key": "value", 853 853 + }, 880 854 } 881 855 882 856 // Serialize ··· 886 860 } 887 861 888 862 // Deserialize 889 889 - var decoded Manifest_BlobReference 863 863 + var decoded BlobReference 890 864 if err := json.Unmarshal(jsonData, &decoded); err != nil { 891 865 t.Fatalf("json.Unmarshal() error = %v", err) 892 866 } ··· 904 878 } 905 879 906 880 func TestStarSubject_JSONSerialization(t *testing.T) { 907 907 - subject := SailorStar_Subject{ 908 908 - Did: "did:plc:alice123", 881 881 + subject := StarSubject{ 882 882 + DID: "did:plc:alice123", 909 883 Repository: "myapp", 910 884 } 911 885 ··· 916 890 } 917 891 918 892 // Deserialize 919 919 - var decoded SailorStar_Subject 893 893 + var decoded StarSubject 920 894 if err := json.Unmarshal(jsonData, &decoded); err != nil { 921 895 t.Fatalf("json.Unmarshal() error = %v", err) 922 896 } 923 897 924 898 // Verify 925 925 - if decoded.Did != subject.Did { 926 926 - t.Errorf("Did = %v, want %v", decoded.Did, subject.Did) 899 899 + if decoded.DID != subject.DID { 900 900 + t.Errorf("DID = %v, want %v", decoded.DID, subject.DID) 927 901 } 928 902 if decoded.Repository != subject.Repository { 929 903 t.Errorf("Repository = %v, want %v", decoded.Repository, subject.Repository) ··· 1170 1144 t.Fatal("NewLayerRecord() returned nil") 1171 1145 } 1172 1146 1173 1173 - if record.LexiconTypeID != LayerCollection { 1174 1174 - t.Errorf("LexiconTypeID = %q, want %q", record.LexiconTypeID, LayerCollection) 1147 1147 + if record.Type != LayerCollection { 1148 1148 + t.Errorf("Type = %q, want %q", record.Type, LayerCollection) 1175 1149 } 1176 1150 1177 1151 if record.Digest != tt.digest { ··· 1190 1164 t.Errorf("Repository = %q, want %q", record.Repository, tt.repository) 1191 1165 } 1192 1166 1193 1193 - if record.UserDid != tt.userDID { 1194 1194 - t.Errorf("UserDid = %q, want %q", record.UserDid, tt.userDID) 1167 1167 + if record.UserDID != tt.userDID { 1168 1168 + t.Errorf("UserDID = %q, want %q", record.UserDID, tt.userDID) 1195 1169 } 1196 1170 1197 1171 if record.UserHandle != tt.userHandle { ··· 1213 1187 } 1214 1188 1215 1189 func TestNewLayerRecordJSON(t *testing.T) { 1216 1216 - // Test that HoldLayer can be marshaled/unmarshaled to/from JSON 1190 1190 + // Test that LayerRecord can be marshaled/unmarshaled to/from JSON 1217 1191 record := NewLayerRecord( 1218 1192 "sha256:abc123", 1219 1193 1024, ··· 1230 1204 } 1231 1205 1232 1206 // Unmarshal back 1233 1233 - var decoded HoldLayer 1207 1207 + var decoded LayerRecord 1234 1208 if err := json.Unmarshal(jsonData, &decoded); err != nil { 1235 1209 t.Fatalf("json.Unmarshal() error = %v", err) 1236 1210 } 1237 1211 1238 1212 // Verify fields match 1239 1239 - if decoded.LexiconTypeID != record.LexiconTypeID { 1240 1240 - t.Errorf("LexiconTypeID = %q, want %q", decoded.LexiconTypeID, record.LexiconTypeID) 1213 1213 + if decoded.Type != record.Type { 1214 1214 + t.Errorf("Type = %q, want %q", decoded.Type, record.Type) 1241 1215 } 1242 1216 if decoded.Digest != record.Digest { 1243 1217 t.Errorf("Digest = %q, want %q", decoded.Digest, record.Digest) ··· 1251 1225 if decoded.Repository != record.Repository { 1252 1226 t.Errorf("Repository = %q, want %q", decoded.Repository, record.Repository) 1253 1227 } 1254 1254 - if decoded.UserDid != record.UserDid { 1255 1255 - t.Errorf("UserDid = %q, want %q", decoded.UserDid, record.UserDid) 1228 1228 + if decoded.UserDID != record.UserDID { 1229 1229 + t.Errorf("UserDID = %q, want %q", decoded.UserDID, record.UserDID) 1256 1230 } 1257 1231 if decoded.UserHandle != record.UserHandle { 1258 1232 t.Errorf("UserHandle = %q, want %q", decoded.UserHandle, record.UserHandle) ··· 1261 1235 t.Errorf("CreatedAt = %q, want %q", decoded.CreatedAt, record.CreatedAt) 1262 1236 } 1263 1237 } 1238 1238 + 1239 1239 + func TestNewRepoPageRecord(t *testing.T) { 1240 1240 + tests := []struct { 1241 1241 + name string 1242 1242 + repository string 1243 1243 + description string 1244 1244 + avatar *ATProtoBlobRef 1245 1245 + }{ 1246 1246 + { 1247 1247 + name: "with description only", 1248 1248 + repository: "myapp", 1249 1249 + description: "# My App\n\nA cool container image.", 1250 1250 + avatar: nil, 1251 1251 + }, 1252 1252 + { 1253 1253 + name: "with avatar only", 1254 1254 + repository: "another-app", 1255 1255 + description: "", 1256 1256 + avatar: &ATProtoBlobRef{ 1257 1257 + Type: "blob", 1258 1258 + Ref: Link{Link: "bafyreiabc123"}, 1259 1259 + MimeType: "image/png", 1260 1260 + Size: 1024, 1261 1261 + }, 1262 1262 + }, 1263 1263 + { 1264 1264 + name: "with both description and avatar", 1265 1265 + repository: "full-app", 1266 1266 + description: "This is a full description.", 1267 1267 + avatar: &ATProtoBlobRef{ 1268 1268 + Type: "blob", 1269 1269 + Ref: Link{Link: "bafyreiabc456"}, 1270 1270 + MimeType: "image/jpeg", 1271 1271 + Size: 2048, 1272 1272 + }, 1273 1273 + }, 1274 1274 + { 1275 1275 + name: "empty values", 1276 1276 + repository: "", 1277 1277 + description: "", 1278 1278 + avatar: nil, 1279 1279 + }, 1280 1280 + } 1281 1281 + 1282 1282 + for _, tt := range tests { 1283 1283 + t.Run(tt.name, func(t *testing.T) { 1284 1284 + before := time.Now() 1285 1285 + record := NewRepoPageRecord(tt.repository, tt.description, tt.avatar) 1286 1286 + after := time.Now() 1287 1287 + 1288 1288 + if record.Type != RepoPageCollection { 1289 1289 + t.Errorf("Type = %v, want %v", record.Type, RepoPageCollection) 1290 1290 + } 1291 1291 + 1292 1292 + if record.Repository != tt.repository { 1293 1293 + t.Errorf("Repository = %v, want %v", record.Repository, tt.repository) 1294 1294 + } 1295 1295 + 1296 1296 + if record.Description != tt.description { 1297 1297 + t.Errorf("Description = %v, want %v", record.Description, tt.description) 1298 1298 + } 1299 1299 + 1300 1300 + if tt.avatar == nil && record.Avatar != nil { 1301 1301 + t.Error("Avatar should be nil") 1302 1302 + } 1303 1303 + 1304 1304 + if tt.avatar != nil { 1305 1305 + if record.Avatar == nil { 1306 1306 + t.Fatal("Avatar should not be nil") 1307 1307 + } 1308 1308 + if record.Avatar.Ref.Link != tt.avatar.Ref.Link { 1309 1309 + t.Errorf("Avatar.Ref.Link = %v, want %v", record.Avatar.Ref.Link, tt.avatar.Ref.Link) 1310 1310 + } 1311 1311 + } 1312 1312 + 1313 1313 + if record.CreatedAt.Before(before) || record.CreatedAt.After(after) { 1314 1314 + t.Errorf("CreatedAt = %v, want between %v and %v", record.CreatedAt, before, after) 1315 1315 + } 1316 1316 + 1317 1317 + if record.UpdatedAt.Before(before) || record.UpdatedAt.After(after) { 1318 1318 + t.Errorf("UpdatedAt = %v, want between %v and %v", record.UpdatedAt, before, after) 1319 1319 + } 1320 1320 + 1321 1321 + // CreatedAt and UpdatedAt should be equal for new records 1322 1322 + if !record.CreatedAt.Equal(record.UpdatedAt) { 1323 1323 + t.Errorf("CreatedAt (%v) != UpdatedAt (%v)", record.CreatedAt, record.UpdatedAt) 1324 1324 + } 1325 1325 + }) 1326 1326 + } 1327 1327 + } 1328 1328 + 1329 1329 + func TestRepoPageRecord_JSONSerialization(t *testing.T) { 1330 1330 + record := NewRepoPageRecord( 1331 1331 + "myapp", 1332 1332 + "# My App\n\nA description with **markdown**.", 1333 1333 + &ATProtoBlobRef{ 1334 1334 + Type: "blob", 1335 1335 + Ref: Link{Link: "bafyreiabc123"}, 1336 1336 + MimeType: "image/png", 1337 1337 + Size: 1024, 1338 1338 + }, 1339 1339 + ) 1340 1340 + 1341 1341 + // Serialize to JSON 1342 1342 + jsonData, err := json.Marshal(record) 1343 1343 + if err != nil { 1344 1344 + t.Fatalf("json.Marshal() error = %v", err) 1345 1345 + } 1346 1346 + 1347 1347 + // Deserialize from JSON 1348 1348 + var decoded RepoPageRecord 1349 1349 + if err := json.Unmarshal(jsonData, &decoded); err != nil { 1350 1350 + t.Fatalf("json.Unmarshal() error = %v", err) 1351 1351 + } 1352 1352 + 1353 1353 + // Verify fields 1354 1354 + if decoded.Type != record.Type { 1355 1355 + t.Errorf("Type = %v, want %v", decoded.Type, record.Type) 1356 1356 + } 1357 1357 + if decoded.Repository != record.Repository { 1358 1358 + t.Errorf("Repository = %v, want %v", decoded.Repository, record.Repository) 1359 1359 + } 1360 1360 + if decoded.Description != record.Description { 1361 1361 + t.Errorf("Description = %v, want %v", decoded.Description, record.Description) 1362 1362 + } 1363 1363 + if decoded.Avatar == nil { 1364 1364 + t.Fatal("Avatar should not be nil") 1365 1365 + } 1366 1366 + if decoded.Avatar.Ref.Link != record.Avatar.Ref.Link { 1367 1367 + t.Errorf("Avatar.Ref.Link = %v, want %v", decoded.Avatar.Ref.Link, record.Avatar.Ref.Link) 1368 1368 + } 1369 1369 + }

-103

pkg/atproto/manifest.go

··· 1 1 - // Code generated by generate.go; DO NOT EDIT. 2 2 - 3 3 - // Lexicon schema: io.atcr.manifest 4 4 - 5 5 - package atproto 6 6 - 7 7 - import ( 8 8 - lexutil "github.com/bluesky-social/indigo/lex/util" 9 9 - ) 10 10 - 11 11 - // A container image manifest following OCI specification, stored in ATProto 12 12 - type Manifest struct { 13 13 - LexiconTypeID string `json:"$type" cborgen:"$type,const=io.atcr.manifest"` 14 14 - // annotations: Optional metadata annotations 15 15 - Annotations *Manifest_Annotations `json:"annotations,omitempty" cborgen:"annotations,omitempty"` 16 16 - // config: Reference to image configuration blob 17 17 - Config *Manifest_BlobReference `json:"config,omitempty" cborgen:"config,omitempty"` 18 18 - // createdAt: Record creation timestamp 19 19 - CreatedAt string `json:"createdAt" cborgen:"createdAt"` 20 20 - // digest: Content digest (e.g., 'sha256:abc123...') 21 21 - Digest string `json:"digest" cborgen:"digest"` 22 22 - // holdDid: DID of the hold service where blobs are stored (e.g., 'did:web:hold01.atcr.io'). Primary reference for hold resolution. 23 23 - HoldDid *string `json:"holdDid,omitempty" cborgen:"holdDid,omitempty"` 24 24 - // holdEndpoint: Hold service endpoint URL where blobs are stored. DEPRECATED: Use holdDid instead. Kept for backward compatibility. 25 25 - HoldEndpoint *string `json:"holdEndpoint,omitempty" cborgen:"holdEndpoint,omitempty"` 26 26 - // layers: Filesystem layers (for image manifests) 27 27 - Layers []Manifest_BlobReference `json:"layers,omitempty" cborgen:"layers,omitempty"` 28 28 - // manifestBlob: The full OCI manifest stored as a blob in ATProto. 29 29 - ManifestBlob *lexutil.LexBlob `json:"manifestBlob,omitempty" cborgen:"manifestBlob,omitempty"` 30 30 - // manifests: Referenced manifests (for manifest lists/indexes) 31 31 - Manifests []Manifest_ManifestReference `json:"manifests,omitempty" cborgen:"manifests,omitempty"` 32 32 - // mediaType: OCI media type 33 33 - MediaType string `json:"mediaType" cborgen:"mediaType"` 34 34 - // repository: Repository name (e.g., 'myapp'). Scoped to user's DID. 35 35 - Repository string `json:"repository" cborgen:"repository"` 36 36 - // schemaVersion: OCI schema version (typically 2) 37 37 - SchemaVersion int64 `json:"schemaVersion" cborgen:"schemaVersion"` 38 38 - // subject: Optional reference to another manifest (for attestations, signatures) 39 39 - Subject *Manifest_BlobReference `json:"subject,omitempty" cborgen:"subject,omitempty"` 40 40 - } 41 41 - 42 42 - // Optional metadata annotations 43 43 - type Manifest_Annotations struct { 44 44 - } 45 45 - 46 46 - // Manifest_BlobReference is a "blobReference" in the io.atcr.manifest schema. 47 47 - // 48 48 - // Reference to a blob stored in S3 or external storage 49 49 - type Manifest_BlobReference struct { 50 50 - LexiconTypeID string `json:"$type,omitempty" cborgen:"$type,const=io.atcr.manifest#blobReference,omitempty"` 51 51 - // annotations: Optional metadata 52 52 - Annotations *Manifest_BlobReference_Annotations `json:"annotations,omitempty" cborgen:"annotations,omitempty"` 53 53 - // digest: Content digest (e.g., 'sha256:...') 54 54 - Digest string `json:"digest" cborgen:"digest"` 55 55 - // mediaType: MIME type of the blob 56 56 - MediaType string `json:"mediaType" cborgen:"mediaType"` 57 57 - // size: Size in bytes 58 58 - Size int64 `json:"size" cborgen:"size"` 59 59 - // urls: Optional direct URLs to blob (for BYOS) 60 60 - Urls []string `json:"urls,omitempty" cborgen:"urls,omitempty"` 61 61 - } 62 62 - 63 63 - // Optional metadata 64 64 - type Manifest_BlobReference_Annotations struct { 65 65 - } 66 66 - 67 67 - // Manifest_ManifestReference is a "manifestReference" in the io.atcr.manifest schema. 68 68 - // 69 69 - // Reference to a manifest in a manifest list/index 70 70 - type Manifest_ManifestReference struct { 71 71 - LexiconTypeID string `json:"$type,omitempty" cborgen:"$type,const=io.atcr.manifest#manifestReference,omitempty"` 72 72 - // annotations: Optional metadata 73 73 - Annotations *Manifest_ManifestReference_Annotations `json:"annotations,omitempty" cborgen:"annotations,omitempty"` 74 74 - // digest: Content digest (e.g., 'sha256:...') 75 75 - Digest string `json:"digest" cborgen:"digest"` 76 76 - // mediaType: Media type of the referenced manifest 77 77 - MediaType string `json:"mediaType" cborgen:"mediaType"` 78 78 - // platform: Platform information for this manifest 79 79 - Platform *Manifest_Platform `json:"platform,omitempty" cborgen:"platform,omitempty"` 80 80 - // size: Size in bytes 81 81 - Size int64 `json:"size" cborgen:"size"` 82 82 - } 83 83 - 84 84 - // Optional metadata 85 85 - type Manifest_ManifestReference_Annotations struct { 86 86 - } 87 87 - 88 88 - // Manifest_Platform is a "platform" in the io.atcr.manifest schema. 89 89 - // 90 90 - // Platform information describing OS and architecture 91 91 - type Manifest_Platform struct { 92 92 - LexiconTypeID string `json:"$type,omitempty" cborgen:"$type,const=io.atcr.manifest#platform,omitempty"` 93 93 - // architecture: CPU architecture (e.g., 'amd64', 'arm64', 'arm') 94 94 - Architecture string `json:"architecture" cborgen:"architecture"` 95 95 - // os: Operating system (e.g., 'linux', 'windows', 'darwin') 96 96 - Os string `json:"os" cborgen:"os"` 97 97 - // osFeatures: Optional OS features 98 98 - OsFeatures []string `json:"osFeatures,omitempty" cborgen:"osFeatures,omitempty"` 99 99 - // osVersion: Optional OS version 100 100 - OsVersion *string `json:"osVersion,omitempty" cborgen:"osVersion,omitempty"` 101 101 - // variant: Optional CPU variant (e.g., 'v7' for ARM) 102 102 - Variant *string `json:"variant,omitempty" cborgen:"variant,omitempty"` 103 103 - }

-15

pkg/atproto/register.go

··· 1 1 - // Code generated by generate.go; DO NOT EDIT. 2 2 - 3 3 - package atproto 4 4 - 5 5 - import lexutil "github.com/bluesky-social/indigo/lex/util" 6 6 - 7 7 - func init() { 8 8 - lexutil.RegisterType("io.atcr.hold.captain", &HoldCaptain{}) 9 9 - lexutil.RegisterType("io.atcr.hold.crew", &HoldCrew{}) 10 10 - lexutil.RegisterType("io.atcr.hold.layer", &HoldLayer{}) 11 11 - lexutil.RegisterType("io.atcr.manifest", &Manifest{}) 12 12 - lexutil.RegisterType("io.atcr.sailor.profile", &SailorProfile{}) 13 13 - lexutil.RegisterType("io.atcr.sailor.star", &SailorStar{}) 14 14 - lexutil.RegisterType("io.atcr.tag", &Tag{}) 15 15 - }

-16

pkg/atproto/sailorprofile.go

··· 1 1 - // Code generated by generate.go; DO NOT EDIT. 2 2 - 3 3 - // Lexicon schema: io.atcr.sailor.profile 4 4 - 5 5 - package atproto 6 6 - 7 7 - // User profile for ATCR registry. Stores preferences like default hold for blob storage. 8 8 - type SailorProfile struct { 9 9 - LexiconTypeID string `json:"$type" cborgen:"$type,const=io.atcr.sailor.profile"` 10 10 - // createdAt: Profile creation timestamp 11 11 - CreatedAt string `json:"createdAt" cborgen:"createdAt"` 12 12 - // defaultHold: Default hold endpoint for blob storage. If null, user has opted out of defaults. 13 13 - DefaultHold *string `json:"defaultHold,omitempty" cborgen:"defaultHold,omitempty"` 14 14 - // updatedAt: Profile last updated timestamp 15 15 - UpdatedAt *string `json:"updatedAt,omitempty" cborgen:"updatedAt,omitempty"` 16 16 - }

-25

pkg/atproto/sailorstar.go

··· 1 1 - // Code generated by generate.go; DO NOT EDIT. 2 2 - 3 3 - // Lexicon schema: io.atcr.sailor.star 4 4 - 5 5 - package atproto 6 6 - 7 7 - // A star (like) on a container image repository. Stored in the starrer's PDS, similar to Bluesky likes. 8 8 - type SailorStar struct { 9 9 - LexiconTypeID string `json:"$type" cborgen:"$type,const=io.atcr.sailor.star"` 10 10 - // createdAt: Star creation timestamp 11 11 - CreatedAt string `json:"createdAt" cborgen:"createdAt"` 12 12 - // subject: The repository being starred 13 13 - Subject SailorStar_Subject `json:"subject" cborgen:"subject"` 14 14 - } 15 15 - 16 16 - // SailorStar_Subject is a "subject" in the io.atcr.sailor.star schema. 17 17 - // 18 18 - // Reference to a repository owned by a user 19 19 - type SailorStar_Subject struct { 20 20 - LexiconTypeID string `json:"$type,omitempty" cborgen:"$type,const=io.atcr.sailor.star#subject,omitempty"` 21 21 - // did: DID of the repository owner 22 22 - Did string `json:"did" cborgen:"did"` 23 23 - // repository: Repository name (e.g., 'myapp') 24 24 - Repository string `json:"repository" cborgen:"repository"` 25 25 - }

-20

pkg/atproto/tag.go

··· 1 1 - // Code generated by generate.go; DO NOT EDIT. 2 2 - 3 3 - // Lexicon schema: io.atcr.tag 4 4 - 5 5 - package atproto 6 6 - 7 7 - // A named tag pointing to a specific manifest digest 8 8 - type Tag struct { 9 9 - LexiconTypeID string `json:"$type" cborgen:"$type,const=io.atcr.tag"` 10 10 - // createdAt: Tag creation timestamp 11 11 - CreatedAt string `json:"createdAt" cborgen:"createdAt"` 12 12 - // manifest: AT-URI of the manifest this tag points to (e.g., 'at://did:plc:xyz/io.atcr.manifest/abc123'). Preferred over manifestDigest for new records. 13 13 - Manifest *string `json:"manifest,omitempty" cborgen:"manifest,omitempty"` 14 14 - // manifestDigest: DEPRECATED: Digest of the manifest (e.g., 'sha256:...'). Kept for backward compatibility with old records. New records should use 'manifest' field instead. 15 15 - ManifestDigest *string `json:"manifestDigest,omitempty" cborgen:"manifestDigest,omitempty"` 16 16 - // repository: Repository name (e.g., 'myapp'). Scoped to user's DID. 17 17 - Repository string `json:"repository" cborgen:"repository"` 18 18 - // tag: Tag name (e.g., 'latest', 'v1.0.0', '12-slim') 19 19 - Tag string `json:"tag" cborgen:"tag"` 20 20 - }

+142

pkg/auth/cache.go

··· 1 1 + // Package token provides service token caching and management for AppView. 2 2 + // Service tokens are JWTs issued by a user's PDS to authorize AppView to 3 3 + // act on their behalf when communicating with hold services. Tokens are 4 4 + // cached with automatic expiry parsing and 10-second safety margins. 5 5 + package auth 6 6 + 7 7 + import ( 8 8 + "log/slog" 9 9 + "sync" 10 10 + "time" 11 11 + ) 12 12 + 13 13 + // serviceTokenEntry represents a cached service token 14 14 + type serviceTokenEntry struct { 15 15 + token string 16 16 + expiresAt time.Time 17 17 + err error 18 18 + once sync.Once 19 19 + } 20 20 + 21 21 + // Global cache for service tokens (DID:HoldDID -> token) 22 22 + // Service tokens are JWTs issued by a user's PDS to authorize AppView to act on their behalf 23 23 + // when communicating with hold services. These tokens are scoped to specific holds and have 24 24 + // limited lifetime (typically 60s, can request up to 5min). 25 25 + var ( 26 26 + globalServiceTokens = make(map[string]*serviceTokenEntry) 27 27 + globalServiceTokensMu sync.RWMutex 28 28 + ) 29 29 + 30 30 + // GetServiceToken retrieves a cached service token for the given DID and hold DID 31 31 + // Returns empty string if no valid cached token exists 32 32 + func GetServiceToken(did, holdDID string) (token string, expiresAt time.Time) { 33 33 + cacheKey := did + ":" + holdDID 34 34 + 35 35 + globalServiceTokensMu.RLock() 36 36 + entry, exists := globalServiceTokens[cacheKey] 37 37 + globalServiceTokensMu.RUnlock() 38 38 + 39 39 + if !exists { 40 40 + return "", time.Time{} 41 41 + } 42 42 + 43 43 + // Check if token is still valid 44 44 + if time.Now().After(entry.expiresAt) { 45 45 + // Token expired, remove from cache 46 46 + globalServiceTokensMu.Lock() 47 47 + delete(globalServiceTokens, cacheKey) 48 48 + globalServiceTokensMu.Unlock() 49 49 + return "", time.Time{} 50 50 + } 51 51 + 52 52 + return entry.token, entry.expiresAt 53 53 + } 54 54 + 55 55 + // SetServiceToken stores a service token in the cache 56 56 + // Automatically parses the JWT to extract the expiry time 57 57 + // Applies a 10-second safety margin (cache expires 10s before actual JWT expiry) 58 58 + func SetServiceToken(did, holdDID, token string) error { 59 59 + cacheKey := did + ":" + holdDID 60 60 + 61 61 + // Parse JWT to extract expiry (don't verify signature - we trust the PDS) 62 62 + expiry, err := ParseJWTExpiry(token) 63 63 + if err != nil { 64 64 + // If parsing fails, use default 50s TTL (conservative fallback) 65 65 + slog.Warn("Failed to parse JWT expiry, using default 50s", "error", err, "cacheKey", cacheKey) 66 66 + expiry = time.Now().Add(50 * time.Second) 67 67 + } else { 68 68 + // Apply 10s safety margin to avoid using nearly-expired tokens 69 69 + expiry = expiry.Add(-10 * time.Second) 70 70 + } 71 71 + 72 72 + globalServiceTokensMu.Lock() 73 73 + globalServiceTokens[cacheKey] = &serviceTokenEntry{ 74 74 + token: token, 75 75 + expiresAt: expiry, 76 76 + } 77 77 + globalServiceTokensMu.Unlock() 78 78 + 79 79 + slog.Debug("Cached service token", 80 80 + "cacheKey", cacheKey, 81 81 + "expiresIn", time.Until(expiry).Round(time.Second)) 82 82 + 83 83 + return nil 84 84 + } 85 85 + 86 86 + // InvalidateServiceToken removes a service token from the cache 87 87 + // Used when we detect that a token is invalid or the user's session has expired 88 88 + func InvalidateServiceToken(did, holdDID string) { 89 89 + cacheKey := did + ":" + holdDID 90 90 + 91 91 + globalServiceTokensMu.Lock() 92 92 + delete(globalServiceTokens, cacheKey) 93 93 + globalServiceTokensMu.Unlock() 94 94 + 95 95 + slog.Debug("Invalidated service token", "cacheKey", cacheKey) 96 96 + } 97 97 + 98 98 + // GetCacheStats returns statistics about the service token cache for debugging 99 99 + func GetCacheStats() map[string]any { 100 100 + globalServiceTokensMu.RLock() 101 101 + defer globalServiceTokensMu.RUnlock() 102 102 + 103 103 + validCount := 0 104 104 + expiredCount := 0 105 105 + now := time.Now() 106 106 + 107 107 + for _, entry := range globalServiceTokens { 108 108 + if now.Before(entry.expiresAt) { 109 109 + validCount++ 110 110 + } else { 111 111 + expiredCount++ 112 112 + } 113 113 + } 114 114 + 115 115 + return map[string]any{ 116 116 + "total_entries": len(globalServiceTokens), 117 117 + "valid_tokens": validCount, 118 118 + "expired_tokens": expiredCount, 119 119 + } 120 120 + } 121 121 + 122 122 + // CleanExpiredTokens removes expired tokens from the cache 123 123 + // Can be called periodically to prevent unbounded growth (though expired tokens 124 124 + // are also removed lazily on access) 125 125 + func CleanExpiredTokens() { 126 126 + globalServiceTokensMu.Lock() 127 127 + defer globalServiceTokensMu.Unlock() 128 128 + 129 129 + now := time.Now() 130 130 + removed := 0 131 131 + 132 132 + for key, entry := range globalServiceTokens { 133 133 + if now.After(entry.expiresAt) { 134 134 + delete(globalServiceTokens, key) 135 135 + removed++ 136 136 + } 137 137 + } 138 138 + 139 139 + if removed > 0 { 140 140 + slog.Debug("Cleaned expired service tokens", "count", removed) 141 141 + } 142 142 + }

+195

pkg/auth/cache_test.go

··· 1 1 + package auth 2 2 + 3 3 + import ( 4 4 + "testing" 5 5 + "time" 6 6 + ) 7 7 + 8 8 + func TestGetServiceToken_NotCached(t *testing.T) { 9 9 + // Clear cache first 10 10 + globalServiceTokensMu.Lock() 11 11 + globalServiceTokens = make(map[string]*serviceTokenEntry) 12 12 + globalServiceTokensMu.Unlock() 13 13 + 14 14 + did := "did:plc:test123" 15 15 + holdDID := "did:web:hold.example.com" 16 16 + 17 17 + token, expiresAt := GetServiceToken(did, holdDID) 18 18 + if token != "" { 19 19 + t.Errorf("Expected empty token for uncached entry, got %q", token) 20 20 + } 21 21 + if !expiresAt.IsZero() { 22 22 + t.Error("Expected zero time for uncached entry") 23 23 + } 24 24 + } 25 25 + 26 26 + func TestSetServiceToken_ManualExpiry(t *testing.T) { 27 27 + // Clear cache first 28 28 + globalServiceTokensMu.Lock() 29 29 + globalServiceTokens = make(map[string]*serviceTokenEntry) 30 30 + globalServiceTokensMu.Unlock() 31 31 + 32 32 + did := "did:plc:test123" 33 33 + holdDID := "did:web:hold.example.com" 34 34 + token := "invalid_jwt_token" // Will fall back to 50s default 35 35 + 36 36 + // This should succeed with default 50s TTL since JWT parsing will fail 37 37 + err := SetServiceToken(did, holdDID, token) 38 38 + if err != nil { 39 39 + t.Fatalf("SetServiceToken() error = %v", err) 40 40 + } 41 41 + 42 42 + // Verify token was cached 43 43 + cachedToken, expiresAt := GetServiceToken(did, holdDID) 44 44 + if cachedToken != token { 45 45 + t.Errorf("Expected token %q, got %q", token, cachedToken) 46 46 + } 47 47 + if expiresAt.IsZero() { 48 48 + t.Error("Expected non-zero expiry time") 49 49 + } 50 50 + 51 51 + // Expiry should be approximately 50s from now (with 10s margin subtracted in some cases) 52 52 + expectedExpiry := time.Now().Add(50 * time.Second) 53 53 + diff := expiresAt.Sub(expectedExpiry) 54 54 + if diff < -5*time.Second || diff > 5*time.Second { 55 55 + t.Errorf("Expiry time off by %v (expected ~50s from now)", diff) 56 56 + } 57 57 + } 58 58 + 59 59 + func TestGetServiceToken_Expired(t *testing.T) { 60 60 + // Manually insert an expired token 61 61 + did := "did:plc:test123" 62 62 + holdDID := "did:web:hold.example.com" 63 63 + cacheKey := did + ":" + holdDID 64 64 + 65 65 + globalServiceTokensMu.Lock() 66 66 + globalServiceTokens[cacheKey] = &serviceTokenEntry{ 67 67 + token: "expired_token", 68 68 + expiresAt: time.Now().Add(-1 * time.Hour), // 1 hour ago 69 69 + } 70 70 + globalServiceTokensMu.Unlock() 71 71 + 72 72 + // Try to get - should return empty since expired 73 73 + token, expiresAt := GetServiceToken(did, holdDID) 74 74 + if token != "" { 75 75 + t.Errorf("Expected empty token for expired entry, got %q", token) 76 76 + } 77 77 + if !expiresAt.IsZero() { 78 78 + t.Error("Expected zero time for expired entry") 79 79 + } 80 80 + 81 81 + // Verify token was removed from cache 82 82 + globalServiceTokensMu.RLock() 83 83 + _, exists := globalServiceTokens[cacheKey] 84 84 + globalServiceTokensMu.RUnlock() 85 85 + 86 86 + if exists { 87 87 + t.Error("Expected expired token to be removed from cache") 88 88 + } 89 89 + } 90 90 + 91 91 + func TestInvalidateServiceToken(t *testing.T) { 92 92 + // Set a token 93 93 + did := "did:plc:test123" 94 94 + holdDID := "did:web:hold.example.com" 95 95 + token := "test_token" 96 96 + 97 97 + err := SetServiceToken(did, holdDID, token) 98 98 + if err != nil { 99 99 + t.Fatalf("SetServiceToken() error = %v", err) 100 100 + } 101 101 + 102 102 + // Verify it's cached 103 103 + cachedToken, _ := GetServiceToken(did, holdDID) 104 104 + if cachedToken != token { 105 105 + t.Fatal("Token should be cached") 106 106 + } 107 107 + 108 108 + // Invalidate 109 109 + InvalidateServiceToken(did, holdDID) 110 110 + 111 111 + // Verify it's gone 112 112 + cachedToken, _ = GetServiceToken(did, holdDID) 113 113 + if cachedToken != "" { 114 114 + t.Error("Expected token to be invalidated") 115 115 + } 116 116 + } 117 117 + 118 118 + func TestCleanExpiredTokens(t *testing.T) { 119 119 + // Clear cache first 120 120 + globalServiceTokensMu.Lock() 121 121 + globalServiceTokens = make(map[string]*serviceTokenEntry) 122 122 + globalServiceTokensMu.Unlock() 123 123 + 124 124 + // Add expired and valid tokens 125 125 + globalServiceTokensMu.Lock() 126 126 + globalServiceTokens["expired:hold1"] = &serviceTokenEntry{ 127 127 + token: "expired1", 128 128 + expiresAt: time.Now().Add(-1 * time.Hour), 129 129 + } 130 130 + globalServiceTokens["valid:hold2"] = &serviceTokenEntry{ 131 131 + token: "valid1", 132 132 + expiresAt: time.Now().Add(1 * time.Hour), 133 133 + } 134 134 + globalServiceTokensMu.Unlock() 135 135 + 136 136 + // Clean expired 137 137 + CleanExpiredTokens() 138 138 + 139 139 + // Verify only valid token remains 140 140 + globalServiceTokensMu.RLock() 141 141 + _, expiredExists := globalServiceTokens["expired:hold1"] 142 142 + _, validExists := globalServiceTokens["valid:hold2"] 143 143 + globalServiceTokensMu.RUnlock() 144 144 + 145 145 + if expiredExists { 146 146 + t.Error("Expected expired token to be removed") 147 147 + } 148 148 + if !validExists { 149 149 + t.Error("Expected valid token to remain") 150 150 + } 151 151 + } 152 152 + 153 153 + func TestGetCacheStats(t *testing.T) { 154 154 + // Clear cache first 155 155 + globalServiceTokensMu.Lock() 156 156 + globalServiceTokens = make(map[string]*serviceTokenEntry) 157 157 + globalServiceTokensMu.Unlock() 158 158 + 159 159 + // Add some tokens 160 160 + globalServiceTokensMu.Lock() 161 161 + globalServiceTokens["did1:hold1"] = &serviceTokenEntry{ 162 162 + token: "token1", 163 163 + expiresAt: time.Now().Add(1 * time.Hour), 164 164 + } 165 165 + globalServiceTokens["did2:hold2"] = &serviceTokenEntry{ 166 166 + token: "token2", 167 167 + expiresAt: time.Now().Add(1 * time.Hour), 168 168 + } 169 169 + globalServiceTokensMu.Unlock() 170 170 + 171 171 + stats := GetCacheStats() 172 172 + if stats == nil { 173 173 + t.Fatal("Expected non-nil stats") 174 174 + } 175 175 + 176 176 + // GetCacheStats returns map[string]any with "total_entries" key 177 177 + totalEntries, ok := stats["total_entries"].(int) 178 178 + if !ok { 179 179 + t.Fatalf("Expected total_entries in stats map, got: %v", stats) 180 180 + } 181 181 + 182 182 + if totalEntries != 2 { 183 183 + t.Errorf("Expected 2 entries, got %d", totalEntries) 184 184 + } 185 185 + 186 186 + // Also check valid_tokens 187 187 + validTokens, ok := stats["valid_tokens"].(int) 188 188 + if !ok { 189 189 + t.Fatal("Expected valid_tokens in stats map") 190 190 + } 191 191 + 192 192 + if validTokens != 2 { 193 193 + t.Errorf("Expected 2 valid tokens, got %d", validTokens) 194 194 + } 195 195 + }

+3 -3

pkg/auth/hold_authorizer.go

··· 21 21 22 22 // GetCaptainRecord retrieves the captain record for a hold 23 23 // Used to check public flag and allowAllCrew settings 24 24 - GetCaptainRecord(ctx context.Context, holdDID string) (*atproto.HoldCaptain, error) 24 24 + GetCaptainRecord(ctx context.Context, holdDID string) (*atproto.CaptainRecord, error) 25 25 26 26 // IsCrewMember checks if userDID is a crew member of holdDID 27 27 IsCrewMember(ctx context.Context, holdDID, userDID string) (bool, error) ··· 32 32 // Read access rules: 33 33 // - Public hold: allow anyone (even anonymous) 34 34 // - Private hold: require authentication (any authenticated user) 35 35 - func CheckReadAccessWithCaptain(captain *atproto.HoldCaptain, userDID string) bool { 35 35 + func CheckReadAccessWithCaptain(captain *atproto.CaptainRecord, userDID string) bool { 36 36 if captain.Public { 37 37 // Public hold - allow anyone (even anonymous) 38 38 return true ··· 55 55 // Write access rules: 56 56 // - Must be authenticated 57 57 // - Must be hold owner OR crew member 58 58 - func CheckWriteAccessWithCaptain(captain *atproto.HoldCaptain, userDID string, isCrew bool) bool { 58 58 + func CheckWriteAccessWithCaptain(captain *atproto.CaptainRecord, userDID string, isCrew bool) bool { 59 59 slog.Debug("Checking write access", "userDID", userDID, "owner", captain.Owner, "isCrew", isCrew) 60 60 61 61 if userDID == "" {

+5 -5

pkg/auth/hold_authorizer_test.go

··· 7 7 ) 8 8 9 9 func TestCheckReadAccessWithCaptain_PublicHold(t *testing.T) { 10 10 - captain := &atproto.HoldCaptain{ 10 10 + captain := &atproto.CaptainRecord{ 11 11 Public: true, 12 12 Owner: "did:plc:owner123", 13 13 } ··· 26 26 } 27 27 28 28 func TestCheckReadAccessWithCaptain_PrivateHold(t *testing.T) { 29 29 - captain := &atproto.HoldCaptain{ 29 29 + captain := &atproto.CaptainRecord{ 30 30 Public: false, 31 31 Owner: "did:plc:owner123", 32 32 } ··· 45 45 } 46 46 47 47 func TestCheckWriteAccessWithCaptain_Owner(t *testing.T) { 48 48 - captain := &atproto.HoldCaptain{ 48 48 + captain := &atproto.CaptainRecord{ 49 49 Public: false, 50 50 Owner: "did:plc:owner123", 51 51 } ··· 58 58 } 59 59 60 60 func TestCheckWriteAccessWithCaptain_Crew(t *testing.T) { 61 61 - captain := &atproto.HoldCaptain{ 61 61 + captain := &atproto.CaptainRecord{ 62 62 Public: false, 63 63 Owner: "did:plc:owner123", 64 64 } ··· 77 77 } 78 78 79 79 func TestCheckWriteAccessWithCaptain_Anonymous(t *testing.T) { 80 80 - captain := &atproto.HoldCaptain{ 80 80 + captain := &atproto.CaptainRecord{ 81 81 Public: false, 82 82 Owner: "did:plc:owner123", 83 83 }

+2 -2

pkg/auth/hold_local.go

··· 35 35 } 36 36 37 37 // GetCaptainRecord retrieves the captain record from the hold's PDS 38 38 - func (a *LocalHoldAuthorizer) GetCaptainRecord(ctx context.Context, holdDID string) (*atproto.HoldCaptain, error) { 38 38 + func (a *LocalHoldAuthorizer) GetCaptainRecord(ctx context.Context, holdDID string) (*atproto.CaptainRecord, error) { 39 39 // Verify that the requested holdDID matches this hold 40 40 if holdDID != a.pds.DID() { 41 41 return nil, fmt.Errorf("holdDID mismatch: requested %s, this hold is %s", holdDID, a.pds.DID()) ··· 47 47 return nil, fmt.Errorf("failed to get captain record: %w", err) 48 48 } 49 49 50 50 - // The PDS returns *atproto.HoldCaptain directly 50 50 + // The PDS returns *atproto.CaptainRecord directly now (after we update pds to use atproto types) 51 51 return pdsCaptain, nil 52 52 } 53 53

+20 -34

pkg/auth/hold_remote.go

··· 101 101 // 1. Check database cache 102 102 // 2. If cache miss or expired, query hold's XRPC endpoint 103 103 // 3. Update cache 104 104 - func (a *RemoteHoldAuthorizer) GetCaptainRecord(ctx context.Context, holdDID string) (*atproto.HoldCaptain, error) { 104 104 + func (a *RemoteHoldAuthorizer) GetCaptainRecord(ctx context.Context, holdDID string) (*atproto.CaptainRecord, error) { 105 105 // Try cache first 106 106 if a.db != nil { 107 107 cached, err := a.getCachedCaptainRecord(holdDID) 108 108 if err == nil && cached != nil { 109 109 // Cache hit - check if still valid 110 110 if time.Since(cached.UpdatedAt) < a.cacheTTL { 111 111 - return cached.HoldCaptain, nil 111 111 + return cached.CaptainRecord, nil 112 112 } 113 113 // Cache expired - continue to fetch fresh data 114 114 } ··· 133 133 134 134 // captainRecordWithMeta includes UpdatedAt for cache management 135 135 type captainRecordWithMeta struct { 136 136 - *atproto.HoldCaptain 136 136 + *atproto.CaptainRecord 137 137 UpdatedAt time.Time 138 138 } 139 139 ··· 145 145 WHERE hold_did = ? 146 146 ` 147 147 148 148 - var record atproto.HoldCaptain 148 148 + var record atproto.CaptainRecord 149 149 var deployedAt, region, provider sql.NullString 150 150 var updatedAt time.Time 151 151 ··· 172 172 record.DeployedAt = deployedAt.String 173 173 } 174 174 if region.Valid { 175 175 - record.Region = &region.String 175 175 + record.Region = region.String 176 176 } 177 177 if provider.Valid { 178 178 - record.Provider = &provider.String 178 178 + record.Provider = provider.String 179 179 } 180 180 181 181 return &captainRecordWithMeta{ 182 182 - HoldCaptain: &record, 183 183 - UpdatedAt: updatedAt, 182 182 + CaptainRecord: &record, 183 183 + UpdatedAt: updatedAt, 184 184 }, nil 185 185 } 186 186 187 187 // setCachedCaptainRecord stores a captain record in database cache 188 188 - func (a *RemoteHoldAuthorizer) setCachedCaptainRecord(holdDID string, record *atproto.HoldCaptain) error { 188 188 + func (a *RemoteHoldAuthorizer) setCachedCaptainRecord(holdDID string, record *atproto.CaptainRecord) error { 189 189 query := ` 190 190 INSERT INTO hold_captain_records ( 191 191 hold_did, owner_did, public, allow_all_crew, ··· 207 207 record.Public, 208 208 record.AllowAllCrew, 209 209 nullString(record.DeployedAt), 210 210 - nullStringPtr(record.Region), 211 211 - nullStringPtr(record.Provider), 210 210 + nullString(record.Region), 211 211 + nullString(record.Provider), 212 212 time.Now(), 213 213 ) 214 214 ··· 216 216 } 217 217 218 218 // fetchCaptainRecordFromXRPC queries the hold's XRPC endpoint for captain record 219 219 - func (a *RemoteHoldAuthorizer) fetchCaptainRecordFromXRPC(ctx context.Context, holdDID string) (*atproto.HoldCaptain, error) { 219 219 + func (a *RemoteHoldAuthorizer) fetchCaptainRecordFromXRPC(ctx context.Context, holdDID string) (*atproto.CaptainRecord, error) { 220 220 // Resolve DID to URL 221 221 holdURL := atproto.ResolveHoldURL(holdDID) 222 222 ··· 261 261 } 262 262 263 263 // Convert to our type 264 264 - record := &atproto.HoldCaptain{ 265 265 - LexiconTypeID: atproto.CaptainCollection, 266 266 - Owner: xrpcResp.Value.Owner, 267 267 - Public: xrpcResp.Value.Public, 268 268 - AllowAllCrew: xrpcResp.Value.AllowAllCrew, 269 269 - DeployedAt: xrpcResp.Value.DeployedAt, 270 270 - } 271 271 - 272 272 - // Handle optional pointer fields 273 273 - if xrpcResp.Value.Region != "" { 274 274 - record.Region = &xrpcResp.Value.Region 275 275 - } 276 276 - if xrpcResp.Value.Provider != "" { 277 277 - record.Provider = &xrpcResp.Value.Provider 264 264 + record := &atproto.CaptainRecord{ 265 265 + Type: atproto.CaptainCollection, 266 266 + Owner: xrpcResp.Value.Owner, 267 267 + Public: xrpcResp.Value.Public, 268 268 + AllowAllCrew: xrpcResp.Value.AllowAllCrew, 269 269 + DeployedAt: xrpcResp.Value.DeployedAt, 270 270 + Region: xrpcResp.Value.Region, 271 271 + Provider: xrpcResp.Value.Provider, 278 272 } 279 273 280 274 return record, nil ··· 412 406 return sql.NullString{Valid: false} 413 407 } 414 408 return sql.NullString{String: s, Valid: true} 415 415 - } 416 416 - 417 417 - // nullStringPtr converts a *string to sql.NullString 418 418 - func nullStringPtr(s *string) sql.NullString { 419 419 - if s == nil || *s == "" { 420 420 - return sql.NullString{Valid: false} 421 421 - } 422 422 - return sql.NullString{String: *s, Valid: true} 423 409 } 424 410 425 411 // getCachedApproval checks if user has a cached crew approval

+8 -13

pkg/auth/hold_remote_test.go

··· 14 14 "atcr.io/pkg/atproto" 15 15 ) 16 16 17 17 - // ptrString returns a pointer to the given string 18 18 - func ptrString(s string) *string { 19 19 - return &s 20 20 - } 21 21 - 22 17 func TestNewRemoteHoldAuthorizer(t *testing.T) { 23 18 // Test with nil database (should still work) 24 19 authorizer := NewRemoteHoldAuthorizer(nil, false) ··· 138 133 holdDID := "did:web:hold01.atcr.io" 139 134 140 135 // Pre-populate cache with a captain record 141 141 - captainRecord := &atproto.HoldCaptain{ 142 142 - LexiconTypeID: atproto.CaptainCollection, 143 143 - Owner: "did:plc:owner123", 144 144 - Public: true, 145 145 - AllowAllCrew: false, 146 146 - DeployedAt: "2025-10-28T00:00:00Z", 147 147 - Region: ptrString("us-east-1"), 148 148 - Provider: ptrString("fly.io"), 136 136 + captainRecord := &atproto.CaptainRecord{ 137 137 + Type: atproto.CaptainCollection, 138 138 + Owner: "did:plc:owner123", 139 139 + Public: true, 140 140 + AllowAllCrew: false, 141 141 + DeployedAt: "2025-10-28T00:00:00Z", 142 142 + Region: "us-east-1", 143 143 + Provider: "fly.io", 149 144 } 150 145 151 146 err := remote.setCachedCaptainRecord(holdDID, captainRecord)

+80

pkg/auth/mock_authorizer.go

··· 1 1 + package auth 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + 6 6 + "atcr.io/pkg/atproto" 7 7 + ) 8 8 + 9 9 + // MockHoldAuthorizer is a test double for HoldAuthorizer. 10 10 + // It allows tests to control the return values of authorization checks 11 11 + // without making network calls or querying a real PDS. 12 12 + type MockHoldAuthorizer struct { 13 13 + // Direct result control 14 14 + CanReadResult bool 15 15 + CanWriteResult bool 16 16 + CanAdminResult bool 17 17 + Error error 18 18 + 19 19 + // Captain record to return (optional, for GetCaptainRecord) 20 20 + CaptainRecord *atproto.CaptainRecord 21 21 + 22 22 + // Crew membership (optional, for IsCrewMember) 23 23 + IsCrewResult bool 24 24 + } 25 25 + 26 26 + // NewMockHoldAuthorizer creates a MockHoldAuthorizer with sensible defaults. 27 27 + // By default, it allows all access (public hold, user is owner). 28 28 + func NewMockHoldAuthorizer() *MockHoldAuthorizer { 29 29 + return &MockHoldAuthorizer{ 30 30 + CanReadResult: true, 31 31 + CanWriteResult: true, 32 32 + CanAdminResult: false, 33 33 + IsCrewResult: false, 34 34 + CaptainRecord: &atproto.CaptainRecord{ 35 35 + Type: "io.atcr.hold.captain", 36 36 + Owner: "did:plc:mock-owner", 37 37 + Public: true, 38 38 + }, 39 39 + } 40 40 + } 41 41 + 42 42 + // CheckReadAccess returns the configured CanReadResult. 43 43 + func (m *MockHoldAuthorizer) CheckReadAccess(ctx context.Context, holdDID, userDID string) (bool, error) { 44 44 + if m.Error != nil { 45 45 + return false, m.Error 46 46 + } 47 47 + return m.CanReadResult, nil 48 48 + } 49 49 + 50 50 + // CheckWriteAccess returns the configured CanWriteResult. 51 51 + func (m *MockHoldAuthorizer) CheckWriteAccess(ctx context.Context, holdDID, userDID string) (bool, error) { 52 52 + if m.Error != nil { 53 53 + return false, m.Error 54 54 + } 55 55 + return m.CanWriteResult, nil 56 56 + } 57 57 + 58 58 + // GetCaptainRecord returns the configured CaptainRecord or a default. 59 59 + func (m *MockHoldAuthorizer) GetCaptainRecord(ctx context.Context, holdDID string) (*atproto.CaptainRecord, error) { 60 60 + if m.Error != nil { 61 61 + return nil, m.Error 62 62 + } 63 63 + if m.CaptainRecord != nil { 64 64 + return m.CaptainRecord, nil 65 65 + } 66 66 + // Return a default captain record 67 67 + return &atproto.CaptainRecord{ 68 68 + Type: "io.atcr.hold.captain", 69 69 + Owner: "did:plc:mock-owner", 70 70 + Public: true, 71 71 + }, nil 72 72 + } 73 73 + 74 74 + // IsCrewMember returns the configured IsCrewResult. 75 75 + func (m *MockHoldAuthorizer) IsCrewMember(ctx context.Context, holdDID, userDID string) (bool, error) { 76 76 + if m.Error != nil { 77 77 + return false, m.Error 78 78 + } 79 79 + return m.IsCrewResult, nil 80 80 + }

+42 -32

pkg/auth/oauth/client.go

··· 72 72 return baseURL + "/auth/oauth/callback" 73 73 } 74 74 75 75 - // GetDefaultScopes returns the default OAuth scopes for ATCR registry operations 76 76 - // testMode determines whether to use transition:generic (test) or rpc scopes (production) 75 75 + // GetDefaultScopes returns the default OAuth scopes for ATCR registry operations. 76 76 + // Includes io.atcr.authFullApp permission-set plus individual scopes for PDS compatibility. 77 77 + // Blob scopes are listed explicitly (not supported in Lexicon permission-sets). 77 78 func GetDefaultScopes(did string) []string { 78 78 - scopes := []string{ 79 79 + return []string{ 79 80 "atproto", 81 81 + // Permission-set (for future PDS support) 82 82 + // See lexicons/io/atcr/authFullApp.json for definition 83 83 + // Uses "include:" prefix per ATProto permission spec 84 84 + "include:io.atcr.authFullApp", 85 85 + // com.atproto scopes must be separate (permission-sets are namespace-limited) 86 86 + "rpc:com.atproto.repo.getRecord?aud=*", 87 87 + // Blob scopes (not supported in Lexicon permission-sets) 80 88 // Image manifest types (single-arch) 81 89 "blob:application/vnd.oci.image.manifest.v1+json", 82 90 "blob:application/vnd.docker.distribution.manifest.v2+json", ··· 85 93 "blob:application/vnd.docker.distribution.manifest.list.v2+json", 86 94 // OCI artifact manifests (for cosign signatures, SBOMs, attestations) 87 95 "blob:application/vnd.cncf.oras.artifact.manifest.v1+json", 88 88 - // Used for service token validation on holds 89 89 - "rpc:com.atproto.repo.getRecord?aud=*", 96 96 + // Image avatars 97 97 + "blob:image/*", 90 98 } 91 91 - 92 92 - // Add repo scopes 93 93 - scopes = append(scopes, 94 94 - fmt.Sprintf("repo:%s", atproto.ManifestCollection), 95 95 - fmt.Sprintf("repo:%s", atproto.TagCollection), 96 96 - fmt.Sprintf("repo:%s", atproto.StarCollection), 97 97 - fmt.Sprintf("repo:%s", atproto.SailorProfileCollection), 98 98 - ) 99 99 - 100 100 - return scopes 101 99 } 102 100 103 101 // ScopesMatch checks if two scope lists are equivalent (order-independent) ··· 225 223 // The session's PersistSessionCallback will save nonce updates to DB 226 224 err = fn(session) 227 225 226 226 + // If request failed with auth error, delete session to force re-auth 227 227 + if err != nil && isAuthError(err) { 228 228 + slog.Warn("Auth error detected, deleting session to force re-auth", 229 229 + "component", "oauth/refresher", 230 230 + "did", did, 231 231 + "error", err) 232 232 + // Don't hold the lock while deleting - release first 233 233 + mutex.Unlock() 234 234 + _ = r.DeleteSession(ctx, did) 235 235 + mutex.Lock() // Re-acquire for the deferred unlock 236 236 + } 237 237 + 228 238 slog.Debug("Released session lock for DoWithSession", 229 239 "component", "oauth/refresher", 230 240 "did", did, ··· 233 243 return err 234 244 } 235 245 246 246 + // isAuthError checks if an error looks like an OAuth/auth failure 247 247 + func isAuthError(err error) bool { 248 248 + if err == nil { 249 249 + return false 250 250 + } 251 251 + errStr := strings.ToLower(err.Error()) 252 252 + return strings.Contains(errStr, "unauthorized") || 253 253 + strings.Contains(errStr, "invalid_token") || 254 254 + strings.Contains(errStr, "insufficient_scope") || 255 255 + strings.Contains(errStr, "token expired") || 256 256 + strings.Contains(errStr, "401") 257 257 + } 258 258 + 236 259 // resumeSession loads a session from storage 237 260 func (r *Refresher) resumeSession(ctx context.Context, did string) (*oauth.ClientSession, error) { 238 261 // Parse DID ··· 257 280 return nil, fmt.Errorf("no session found for DID: %s", did) 258 281 } 259 282 260 260 - // Validate that session scopes match current desired scopes 283 283 + // Log scope differences for debugging, but don't delete session 284 284 + // The PDS will reject requests if scopes are insufficient 285 285 + // (Permission-sets get expanded by PDS, so exact matching doesn't work) 261 286 desiredScopes := r.clientApp.Config.Scopes 262 287 if !ScopesMatch(sessionData.Scopes, desiredScopes) { 263 263 - slog.Debug("Scope mismatch, deleting session", 288 288 + slog.Debug("Session scopes differ from desired (may be permission-set expansion)", 264 289 "did", did, 265 290 "storedScopes", sessionData.Scopes, 266 291 "desiredScopes", desiredScopes) 267 267 - 268 268 - // Delete the session from database since scopes have changed 269 269 - if err := r.clientApp.Store.DeleteSession(ctx, accountDID, sessionID); err != nil { 270 270 - slog.Warn("Failed to delete session with mismatched scopes", "error", err, "did", did) 271 271 - } 272 272 - 273 273 - // Also invalidate UI sessions since OAuth is now invalid 274 274 - if r.uiSessionStore != nil { 275 275 - r.uiSessionStore.DeleteByDID(did) 276 276 - slog.Info("Invalidated UI sessions due to scope mismatch", 277 277 - "component", "oauth/refresher", 278 278 - "did", did) 279 279 - } 280 280 - 281 281 - return nil, fmt.Errorf("OAuth scopes changed, re-authentication required") 282 292 } 283 293 284 294 // Resume session

+7 -30

pkg/auth/oauth/client_test.go

··· 1 1 package oauth 2 2 3 3 import ( 4 4 + "github.com/bluesky-social/indigo/atproto/auth/oauth" 4 5 "testing" 5 6 ) 6 7 7 8 func TestNewClientApp(t *testing.T) { 8 8 - tmpDir := t.TempDir() 9 9 - storePath := tmpDir + "/oauth-test.json" 10 10 - keyPath := tmpDir + "/oauth-key.bin" 11 11 - 12 12 - store, err := NewFileStore(storePath) 13 13 - if err != nil { 14 14 - t.Fatalf("NewFileStore() error = %v", err) 15 15 - } 9 9 + keyPath := t.TempDir() + "/oauth-key.bin" 10 10 + store := oauth.NewMemStore() 16 11 17 12 baseURL := "http://localhost:5000" 18 13 scopes := GetDefaultScopes("*") ··· 32 27 } 33 28 34 29 func TestNewClientAppWithCustomScopes(t *testing.T) { 35 35 - tmpDir := t.TempDir() 36 36 - storePath := tmpDir + "/oauth-test.json" 37 37 - keyPath := tmpDir + "/oauth-key.bin" 38 38 - 39 39 - store, err := NewFileStore(storePath) 40 40 - if err != nil { 41 41 - t.Fatalf("NewFileStore() error = %v", err) 42 42 - } 30 30 + keyPath := t.TempDir() + "/oauth-key.bin" 31 31 + store := oauth.NewMemStore() 43 32 44 33 baseURL := "http://localhost:5000" 45 34 scopes := []string{"atproto", "custom:scope"} ··· 128 117 // ---------------------------------------------------------------------------- 129 118 130 119 func TestNewRefresher(t *testing.T) { 131 131 - tmpDir := t.TempDir() 132 132 - storePath := tmpDir + "/oauth-test.json" 133 133 - 134 134 - store, err := NewFileStore(storePath) 135 135 - if err != nil { 136 136 - t.Fatalf("NewFileStore() error = %v", err) 137 137 - } 120 120 + store := oauth.NewMemStore() 138 121 139 122 scopes := GetDefaultScopes("*") 140 123 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 153 136 } 154 137 155 138 func TestRefresher_SetUISessionStore(t *testing.T) { 156 156 - tmpDir := t.TempDir() 157 157 - storePath := tmpDir + "/oauth-test.json" 158 158 - 159 159 - store, err := NewFileStore(storePath) 160 160 - if err != nil { 161 161 - t.Fatalf("NewFileStore() error = %v", err) 162 162 - } 139 139 + store := oauth.NewMemStore() 163 140 164 141 scopes := GetDefaultScopes("*") 165 142 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry")

+1 -5

pkg/auth/oauth/interactive.go

··· 26 26 registerCallback func(handler http.HandlerFunc) error, 27 27 displayAuthURL func(string) error, 28 28 ) (*InteractiveResult, error) { 29 29 - // Create temporary file store for this flow 30 30 - store, err := NewFileStore("/tmp/atcr-oauth-temp.json") 31 31 - if err != nil { 32 32 - return nil, fmt.Errorf("failed to create OAuth store: %w", err) 33 33 - } 29 29 + store := oauth.NewMemStore() 34 30 35 31 // Create OAuth client app with custom scopes (or defaults if nil) 36 32 // Interactive flows are typically for production use (credential helper, etc.)

+13 -84

pkg/auth/oauth/server_test.go

··· 2 2 3 3 import ( 4 4 "context" 5 5 + "github.com/bluesky-social/indigo/atproto/auth/oauth" 5 6 "net/http" 6 7 "net/http/httptest" 7 8 "strings" ··· 11 12 12 13 func TestNewServer(t *testing.T) { 13 14 // Create a basic OAuth app for testing 14 14 - tmpDir := t.TempDir() 15 15 - storePath := tmpDir + "/oauth-test.json" 16 16 - 17 17 - store, err := NewFileStore(storePath) 18 18 - if err != nil { 19 19 - t.Fatalf("NewFileStore() error = %v", err) 20 20 - } 15 15 + store := oauth.NewMemStore() 21 16 22 17 scopes := GetDefaultScopes("*") 23 18 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 36 31 } 37 32 38 33 func TestServer_SetRefresher(t *testing.T) { 39 39 - tmpDir := t.TempDir() 40 40 - storePath := tmpDir + "/oauth-test.json" 41 41 - 42 42 - store, err := NewFileStore(storePath) 43 43 - if err != nil { 44 44 - t.Fatalf("NewFileStore() error = %v", err) 45 45 - } 34 34 + store := oauth.NewMemStore() 46 35 47 36 scopes := GetDefaultScopes("*") 48 37 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 60 49 } 61 50 62 51 func TestServer_SetPostAuthCallback(t *testing.T) { 63 63 - tmpDir := t.TempDir() 64 64 - storePath := tmpDir + "/oauth-test.json" 65 65 - 66 66 - store, err := NewFileStore(storePath) 67 67 - if err != nil { 68 68 - t.Fatalf("NewFileStore() error = %v", err) 69 69 - } 52 52 + store := oauth.NewMemStore() 70 53 71 54 scopes := GetDefaultScopes("*") 72 55 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 87 70 } 88 71 89 72 func TestServer_SetUISessionStore(t *testing.T) { 90 90 - tmpDir := t.TempDir() 91 91 - storePath := tmpDir + "/oauth-test.json" 92 92 - 93 93 - store, err := NewFileStore(storePath) 94 94 - if err != nil { 95 95 - t.Fatalf("NewFileStore() error = %v", err) 96 96 - } 73 73 + store := oauth.NewMemStore() 97 74 98 75 scopes := GetDefaultScopes("*") 99 76 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 151 128 // ServeAuthorize tests 152 129 153 130 func TestServer_ServeAuthorize_MissingHandle(t *testing.T) { 154 154 - tmpDir := t.TempDir() 155 155 - storePath := tmpDir + "/oauth-test.json" 156 156 - 157 157 - store, err := NewFileStore(storePath) 158 158 - if err != nil { 159 159 - t.Fatalf("NewFileStore() error = %v", err) 160 160 - } 131 131 + store := oauth.NewMemStore() 161 132 162 133 scopes := GetDefaultScopes("*") 163 134 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 179 150 } 180 151 181 152 func TestServer_ServeAuthorize_InvalidMethod(t *testing.T) { 182 182 - tmpDir := t.TempDir() 183 183 - storePath := tmpDir + "/oauth-test.json" 184 184 - 185 185 - store, err := NewFileStore(storePath) 186 186 - if err != nil { 187 187 - t.Fatalf("NewFileStore() error = %v", err) 188 188 - } 153 153 + store := oauth.NewMemStore() 189 154 190 155 scopes := GetDefaultScopes("*") 191 156 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 209 174 // ServeCallback tests 210 175 211 176 func TestServer_ServeCallback_InvalidMethod(t *testing.T) { 212 212 - tmpDir := t.TempDir() 213 213 - storePath := tmpDir + "/oauth-test.json" 214 214 - 215 215 - store, err := NewFileStore(storePath) 216 216 - if err != nil { 217 217 - t.Fatalf("NewFileStore() error = %v", err) 218 218 - } 177 177 + store := oauth.NewMemStore() 219 178 220 179 scopes := GetDefaultScopes("*") 221 180 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 237 196 } 238 197 239 198 func TestServer_ServeCallback_OAuthError(t *testing.T) { 240 240 - tmpDir := t.TempDir() 241 241 - storePath := tmpDir + "/oauth-test.json" 242 242 - 243 243 - store, err := NewFileStore(storePath) 244 244 - if err != nil { 245 245 - t.Fatalf("NewFileStore() error = %v", err) 246 246 - } 199 199 + store := oauth.NewMemStore() 247 200 248 201 scopes := GetDefaultScopes("*") 249 202 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 270 223 } 271 224 272 225 func TestServer_ServeCallback_WithPostAuthCallback(t *testing.T) { 273 273 - tmpDir := t.TempDir() 274 274 - storePath := tmpDir + "/oauth-test.json" 275 275 - 276 276 - store, err := NewFileStore(storePath) 277 277 - if err != nil { 278 278 - t.Fatalf("NewFileStore() error = %v", err) 279 279 - } 226 226 + store := oauth.NewMemStore() 280 227 281 228 scopes := GetDefaultScopes("*") 282 229 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 315 262 }, 316 263 } 317 264 318 318 - tmpDir := t.TempDir() 319 319 - storePath := tmpDir + "/oauth-test.json" 320 320 - 321 321 - store, err := NewFileStore(storePath) 322 322 - if err != nil { 323 323 - t.Fatalf("NewFileStore() error = %v", err) 324 324 - } 265 265 + store := oauth.NewMemStore() 325 266 326 267 scopes := GetDefaultScopes("*") 327 268 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 345 286 } 346 287 347 288 func TestServer_RenderError(t *testing.T) { 348 348 - tmpDir := t.TempDir() 349 349 - storePath := tmpDir + "/oauth-test.json" 350 350 - 351 351 - store, err := NewFileStore(storePath) 352 352 - if err != nil { 353 353 - t.Fatalf("NewFileStore() error = %v", err) 354 354 - } 289 289 + store := oauth.NewMemStore() 355 290 356 291 scopes := GetDefaultScopes("*") 357 292 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry") ··· 380 315 } 381 316 382 317 func TestServer_RenderRedirectToSettings(t *testing.T) { 383 383 - tmpDir := t.TempDir() 384 384 - storePath := tmpDir + "/oauth-test.json" 385 385 - 386 386 - store, err := NewFileStore(storePath) 387 387 - if err != nil { 388 388 - t.Fatalf("NewFileStore() error = %v", err) 389 389 - } 318 318 + store := oauth.NewMemStore() 390 319 391 320 scopes := GetDefaultScopes("*") 392 321 clientApp, err := NewClientApp("http://localhost:5000", store, scopes, "", "AT Container Registry")

-236

pkg/auth/oauth/store.go

··· 1 1 - package oauth 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - "encoding/json" 6 6 - "fmt" 7 7 - "maps" 8 8 - "os" 9 9 - "path/filepath" 10 10 - "sync" 11 11 - "time" 12 12 - 13 13 - "github.com/bluesky-social/indigo/atproto/auth/oauth" 14 14 - "github.com/bluesky-social/indigo/atproto/syntax" 15 15 - ) 16 16 - 17 17 - // FileStore implements oauth.ClientAuthStore with file-based persistence 18 18 - type FileStore struct { 19 19 - path string 20 20 - sessions map[string]*oauth.ClientSessionData // Key: "did:sessionID" 21 21 - requests map[string]*oauth.AuthRequestData // Key: state 22 22 - mu sync.RWMutex 23 23 - } 24 24 - 25 25 - // FileStoreData represents the JSON structure stored on disk 26 26 - type FileStoreData struct { 27 27 - Sessions map[string]*oauth.ClientSessionData `json:"sessions"` 28 28 - Requests map[string]*oauth.AuthRequestData `json:"requests"` 29 29 - } 30 30 - 31 31 - // NewFileStore creates a new file-based OAuth store 32 32 - func NewFileStore(path string) (*FileStore, error) { 33 33 - store := &FileStore{ 34 34 - path: path, 35 35 - sessions: make(map[string]*oauth.ClientSessionData), 36 36 - requests: make(map[string]*oauth.AuthRequestData), 37 37 - } 38 38 - 39 39 - // Load existing data if file exists 40 40 - if err := store.load(); err != nil { 41 41 - if !os.IsNotExist(err) { 42 42 - return nil, fmt.Errorf("failed to load store: %w", err) 43 43 - } 44 44 - // File doesn't exist yet, that's ok 45 45 - } 46 46 - 47 47 - return store, nil 48 48 - } 49 49 - 50 50 - // GetDefaultStorePath returns the default storage path for OAuth data 51 51 - func GetDefaultStorePath() (string, error) { 52 52 - // For AppView: /var/lib/atcr/oauth-sessions.json 53 53 - // For CLI tools: ~/.atcr/oauth-sessions.json 54 54 - 55 55 - // Check if running as a service (has write access to /var/lib) 56 56 - servicePath := "/var/lib/atcr/oauth-sessions.json" 57 57 - if err := os.MkdirAll(filepath.Dir(servicePath), 0700); err == nil { 58 58 - // Can write to /var/lib, use service path 59 59 - return servicePath, nil 60 60 - } 61 61 - 62 62 - // Fall back to user home directory 63 63 - homeDir, err := os.UserHomeDir() 64 64 - if err != nil { 65 65 - return "", fmt.Errorf("failed to get home directory: %w", err) 66 66 - } 67 67 - 68 68 - atcrDir := filepath.Join(homeDir, ".atcr") 69 69 - if err := os.MkdirAll(atcrDir, 0700); err != nil { 70 70 - return "", fmt.Errorf("failed to create .atcr directory: %w", err) 71 71 - } 72 72 - 73 73 - return filepath.Join(atcrDir, "oauth-sessions.json"), nil 74 74 - } 75 75 - 76 76 - // GetSession retrieves a session by DID and session ID 77 77 - func (s *FileStore) GetSession(ctx context.Context, did syntax.DID, sessionID string) (*oauth.ClientSessionData, error) { 78 78 - s.mu.RLock() 79 79 - defer s.mu.RUnlock() 80 80 - 81 81 - key := makeSessionKey(did.String(), sessionID) 82 82 - session, ok := s.sessions[key] 83 83 - if !ok { 84 84 - return nil, fmt.Errorf("session not found: %s/%s", did, sessionID) 85 85 - } 86 86 - 87 87 - return session, nil 88 88 - } 89 89 - 90 90 - // SaveSession saves or updates a session (upsert) 91 91 - func (s *FileStore) SaveSession(ctx context.Context, sess oauth.ClientSessionData) error { 92 92 - s.mu.Lock() 93 93 - defer s.mu.Unlock() 94 94 - 95 95 - key := makeSessionKey(sess.AccountDID.String(), sess.SessionID) 96 96 - s.sessions[key] = &sess 97 97 - 98 98 - return s.save() 99 99 - } 100 100 - 101 101 - // DeleteSession removes a session 102 102 - func (s *FileStore) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error { 103 103 - s.mu.Lock() 104 104 - defer s.mu.Unlock() 105 105 - 106 106 - key := makeSessionKey(did.String(), sessionID) 107 107 - delete(s.sessions, key) 108 108 - 109 109 - return s.save() 110 110 - } 111 111 - 112 112 - // GetAuthRequestInfo retrieves authentication request data by state 113 113 - func (s *FileStore) GetAuthRequestInfo(ctx context.Context, state string) (*oauth.AuthRequestData, error) { 114 114 - s.mu.RLock() 115 115 - defer s.mu.RUnlock() 116 116 - 117 117 - request, ok := s.requests[state] 118 118 - if !ok { 119 119 - return nil, fmt.Errorf("auth request not found: %s", state) 120 120 - } 121 121 - 122 122 - return request, nil 123 123 - } 124 124 - 125 125 - // SaveAuthRequestInfo saves authentication request data 126 126 - func (s *FileStore) SaveAuthRequestInfo(ctx context.Context, info oauth.AuthRequestData) error { 127 127 - s.mu.Lock() 128 128 - defer s.mu.Unlock() 129 129 - 130 130 - s.requests[info.State] = &info 131 131 - 132 132 - return s.save() 133 133 - } 134 134 - 135 135 - // DeleteAuthRequestInfo removes authentication request data 136 136 - func (s *FileStore) DeleteAuthRequestInfo(ctx context.Context, state string) error { 137 137 - s.mu.Lock() 138 138 - defer s.mu.Unlock() 139 139 - 140 140 - delete(s.requests, state) 141 141 - 142 142 - return s.save() 143 143 - } 144 144 - 145 145 - // CleanupExpired removes expired sessions and auth requests 146 146 - // Should be called periodically (e.g., every hour) 147 147 - func (s *FileStore) CleanupExpired() error { 148 148 - s.mu.Lock() 149 149 - defer s.mu.Unlock() 150 150 - 151 151 - now := time.Now() 152 152 - modified := false 153 153 - 154 154 - // Clean up auth requests older than 10 minutes 155 155 - // (OAuth flows should complete quickly) 156 156 - for state := range s.requests { 157 157 - // Note: AuthRequestData doesn't have a timestamp in indigo's implementation 158 158 - // For now, we'll rely on the OAuth server's cleanup routine 159 159 - // or we could extend AuthRequestData with metadata 160 160 - _ = state // Placeholder for future expiration logic 161 161 - } 162 162 - 163 163 - // Sessions don't have expiry in the data structure 164 164 - // Cleanup would need to be token-based (check token expiry) 165 165 - // For now, manual cleanup via DeleteSession 166 166 - _ = now 167 167 - 168 168 - if modified { 169 169 - return s.save() 170 170 - } 171 171 - 172 172 - return nil 173 173 - } 174 174 - 175 175 - // ListSessions returns all stored sessions for debugging/management 176 176 - func (s *FileStore) ListSessions() map[string]*oauth.ClientSessionData { 177 177 - s.mu.RLock() 178 178 - defer s.mu.RUnlock() 179 179 - 180 180 - // Return a copy to prevent external modification 181 181 - result := make(map[string]*oauth.ClientSessionData) 182 182 - maps.Copy(result, s.sessions) 183 183 - return result 184 184 - } 185 185 - 186 186 - // load reads data from disk 187 187 - func (s *FileStore) load() error { 188 188 - data, err := os.ReadFile(s.path) 189 189 - if err != nil { 190 190 - return err 191 191 - } 192 192 - 193 193 - var storeData FileStoreData 194 194 - if err := json.Unmarshal(data, &storeData); err != nil { 195 195 - return fmt.Errorf("failed to parse store: %w", err) 196 196 - } 197 197 - 198 198 - if storeData.Sessions != nil { 199 199 - s.sessions = storeData.Sessions 200 200 - } 201 201 - if storeData.Requests != nil { 202 202 - s.requests = storeData.Requests 203 203 - } 204 204 - 205 205 - return nil 206 206 - } 207 207 - 208 208 - // save writes data to disk 209 209 - func (s *FileStore) save() error { 210 210 - storeData := FileStoreData{ 211 211 - Sessions: s.sessions, 212 212 - Requests: s.requests, 213 213 - } 214 214 - 215 215 - data, err := json.MarshalIndent(storeData, "", " ") 216 216 - if err != nil { 217 217 - return fmt.Errorf("failed to marshal store: %w", err) 218 218 - } 219 219 - 220 220 - // Ensure directory exists 221 221 - if err := os.MkdirAll(filepath.Dir(s.path), 0700); err != nil { 222 222 - return fmt.Errorf("failed to create directory: %w", err) 223 223 - } 224 224 - 225 225 - // Write with restrictive permissions 226 226 - if err := os.WriteFile(s.path, data, 0600); err != nil { 227 227 - return fmt.Errorf("failed to write store: %w", err) 228 228 - } 229 229 - 230 230 - return nil 231 231 - } 232 232 - 233 233 - // makeSessionKey creates a composite key for session storage 234 234 - func makeSessionKey(did, sessionID string) string { 235 235 - return fmt.Sprintf("%s:%s", did, sessionID) 236 236 - }

-631

pkg/auth/oauth/store_test.go

··· 1 1 - package oauth 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - "encoding/json" 6 6 - "os" 7 7 - "testing" 8 8 - "time" 9 9 - 10 10 - "github.com/bluesky-social/indigo/atproto/auth/oauth" 11 11 - "github.com/bluesky-social/indigo/atproto/syntax" 12 12 - ) 13 13 - 14 14 - func TestNewFileStore(t *testing.T) { 15 15 - tmpDir := t.TempDir() 16 16 - storePath := tmpDir + "/oauth-test.json" 17 17 - 18 18 - store, err := NewFileStore(storePath) 19 19 - if err != nil { 20 20 - t.Fatalf("NewFileStore() error = %v", err) 21 21 - } 22 22 - 23 23 - if store == nil { 24 24 - t.Fatal("Expected non-nil store") 25 25 - } 26 26 - 27 27 - if store.path != storePath { 28 28 - t.Errorf("Expected path %q, got %q", storePath, store.path) 29 29 - } 30 30 - 31 31 - if store.sessions == nil { 32 32 - t.Error("Expected sessions map to be initialized") 33 33 - } 34 34 - 35 35 - if store.requests == nil { 36 36 - t.Error("Expected requests map to be initialized") 37 37 - } 38 38 - } 39 39 - 40 40 - func TestFileStore_LoadNonExistent(t *testing.T) { 41 41 - tmpDir := t.TempDir() 42 42 - storePath := tmpDir + "/nonexistent.json" 43 43 - 44 44 - // Should succeed even if file doesn't exist 45 45 - store, err := NewFileStore(storePath) 46 46 - if err != nil { 47 47 - t.Fatalf("NewFileStore() should succeed with non-existent file, got error: %v", err) 48 48 - } 49 49 - 50 50 - if store == nil { 51 51 - t.Fatal("Expected non-nil store") 52 52 - } 53 53 - } 54 54 - 55 55 - func TestFileStore_LoadCorruptedFile(t *testing.T) { 56 56 - tmpDir := t.TempDir() 57 57 - storePath := tmpDir + "/corrupted.json" 58 58 - 59 59 - // Create corrupted JSON file 60 60 - if err := os.WriteFile(storePath, []byte("invalid json {{{"), 0600); err != nil { 61 61 - t.Fatalf("Failed to create corrupted file: %v", err) 62 62 - } 63 63 - 64 64 - // Should fail to load corrupted file 65 65 - _, err := NewFileStore(storePath) 66 66 - if err == nil { 67 67 - t.Error("Expected error when loading corrupted file") 68 68 - } 69 69 - } 70 70 - 71 71 - func TestFileStore_GetSession_NotFound(t *testing.T) { 72 72 - tmpDir := t.TempDir() 73 73 - storePath := tmpDir + "/oauth-test.json" 74 74 - 75 75 - store, err := NewFileStore(storePath) 76 76 - if err != nil { 77 77 - t.Fatalf("NewFileStore() error = %v", err) 78 78 - } 79 79 - 80 80 - ctx := context.Background() 81 81 - did, _ := syntax.ParseDID("did:plc:test123") 82 82 - sessionID := "session123" 83 83 - 84 84 - // Should return error for non-existent session 85 85 - session, err := store.GetSession(ctx, did, sessionID) 86 86 - if err == nil { 87 87 - t.Error("Expected error for non-existent session") 88 88 - } 89 89 - if session != nil { 90 90 - t.Error("Expected nil session for non-existent entry") 91 91 - } 92 92 - } 93 93 - 94 94 - func TestFileStore_SaveAndGetSession(t *testing.T) { 95 95 - tmpDir := t.TempDir() 96 96 - storePath := tmpDir + "/oauth-test.json" 97 97 - 98 98 - store, err := NewFileStore(storePath) 99 99 - if err != nil { 100 100 - t.Fatalf("NewFileStore() error = %v", err) 101 101 - } 102 102 - 103 103 - ctx := context.Background() 104 104 - did, _ := syntax.ParseDID("did:plc:alice123") 105 105 - 106 106 - // Create test session 107 107 - sessionData := oauth.ClientSessionData{ 108 108 - AccountDID: did, 109 109 - SessionID: "test-session-123", 110 110 - HostURL: "https://pds.example.com", 111 111 - Scopes: []string{"atproto", "blob:read"}, 112 112 - } 113 113 - 114 114 - // Save session 115 115 - if err := store.SaveSession(ctx, sessionData); err != nil { 116 116 - t.Fatalf("SaveSession() error = %v", err) 117 117 - } 118 118 - 119 119 - // Retrieve session 120 120 - retrieved, err := store.GetSession(ctx, did, "test-session-123") 121 121 - if err != nil { 122 122 - t.Fatalf("GetSession() error = %v", err) 123 123 - } 124 124 - 125 125 - if retrieved == nil { 126 126 - t.Fatal("Expected non-nil session") 127 127 - } 128 128 - 129 129 - if retrieved.SessionID != sessionData.SessionID { 130 130 - t.Errorf("Expected sessionID %q, got %q", sessionData.SessionID, retrieved.SessionID) 131 131 - } 132 132 - 133 133 - if retrieved.AccountDID.String() != did.String() { 134 134 - t.Errorf("Expected DID %q, got %q", did.String(), retrieved.AccountDID.String()) 135 135 - } 136 136 - 137 137 - if retrieved.HostURL != sessionData.HostURL { 138 138 - t.Errorf("Expected hostURL %q, got %q", sessionData.HostURL, retrieved.HostURL) 139 139 - } 140 140 - } 141 141 - 142 142 - func TestFileStore_UpdateSession(t *testing.T) { 143 143 - tmpDir := t.TempDir() 144 144 - storePath := tmpDir + "/oauth-test.json" 145 145 - 146 146 - store, err := NewFileStore(storePath) 147 147 - if err != nil { 148 148 - t.Fatalf("NewFileStore() error = %v", err) 149 149 - } 150 150 - 151 151 - ctx := context.Background() 152 152 - did, _ := syntax.ParseDID("did:plc:alice123") 153 153 - 154 154 - // Save initial session 155 155 - sessionData := oauth.ClientSessionData{ 156 156 - AccountDID: did, 157 157 - SessionID: "test-session-123", 158 158 - HostURL: "https://pds.example.com", 159 159 - Scopes: []string{"atproto"}, 160 160 - } 161 161 - 162 162 - if err := store.SaveSession(ctx, sessionData); err != nil { 163 163 - t.Fatalf("SaveSession() error = %v", err) 164 164 - } 165 165 - 166 166 - // Update session with new scopes 167 167 - sessionData.Scopes = []string{"atproto", "blob:read", "blob:write"} 168 168 - if err := store.SaveSession(ctx, sessionData); err != nil { 169 169 - t.Fatalf("SaveSession() (update) error = %v", err) 170 170 - } 171 171 - 172 172 - // Retrieve updated session 173 173 - retrieved, err := store.GetSession(ctx, did, "test-session-123") 174 174 - if err != nil { 175 175 - t.Fatalf("GetSession() error = %v", err) 176 176 - } 177 177 - 178 178 - if len(retrieved.Scopes) != 3 { 179 179 - t.Errorf("Expected 3 scopes, got %d", len(retrieved.Scopes)) 180 180 - } 181 181 - } 182 182 - 183 183 - func TestFileStore_DeleteSession(t *testing.T) { 184 184 - tmpDir := t.TempDir() 185 185 - storePath := tmpDir + "/oauth-test.json" 186 186 - 187 187 - store, err := NewFileStore(storePath) 188 188 - if err != nil { 189 189 - t.Fatalf("NewFileStore() error = %v", err) 190 190 - } 191 191 - 192 192 - ctx := context.Background() 193 193 - did, _ := syntax.ParseDID("did:plc:alice123") 194 194 - 195 195 - // Save session 196 196 - sessionData := oauth.ClientSessionData{ 197 197 - AccountDID: did, 198 198 - SessionID: "test-session-123", 199 199 - HostURL: "https://pds.example.com", 200 200 - } 201 201 - 202 202 - if err := store.SaveSession(ctx, sessionData); err != nil { 203 203 - t.Fatalf("SaveSession() error = %v", err) 204 204 - } 205 205 - 206 206 - // Verify it exists 207 207 - if _, err := store.GetSession(ctx, did, "test-session-123"); err != nil { 208 208 - t.Fatalf("GetSession() should succeed before delete, got error: %v", err) 209 209 - } 210 210 - 211 211 - // Delete session 212 212 - if err := store.DeleteSession(ctx, did, "test-session-123"); err != nil { 213 213 - t.Fatalf("DeleteSession() error = %v", err) 214 214 - } 215 215 - 216 216 - // Verify it's gone 217 217 - _, err = store.GetSession(ctx, did, "test-session-123") 218 218 - if err == nil { 219 219 - t.Error("Expected error after deleting session") 220 220 - } 221 221 - } 222 222 - 223 223 - func TestFileStore_DeleteNonExistentSession(t *testing.T) { 224 224 - tmpDir := t.TempDir() 225 225 - storePath := tmpDir + "/oauth-test.json" 226 226 - 227 227 - store, err := NewFileStore(storePath) 228 228 - if err != nil { 229 229 - t.Fatalf("NewFileStore() error = %v", err) 230 230 - } 231 231 - 232 232 - ctx := context.Background() 233 233 - did, _ := syntax.ParseDID("did:plc:alice123") 234 234 - 235 235 - // Delete non-existent session should not error 236 236 - if err := store.DeleteSession(ctx, did, "nonexistent"); err != nil { 237 237 - t.Errorf("DeleteSession() on non-existent session should not error, got: %v", err) 238 238 - } 239 239 - } 240 240 - 241 241 - func TestFileStore_SaveAndGetAuthRequestInfo(t *testing.T) { 242 242 - tmpDir := t.TempDir() 243 243 - storePath := tmpDir + "/oauth-test.json" 244 244 - 245 245 - store, err := NewFileStore(storePath) 246 246 - if err != nil { 247 247 - t.Fatalf("NewFileStore() error = %v", err) 248 248 - } 249 249 - 250 250 - ctx := context.Background() 251 251 - 252 252 - // Create test auth request 253 253 - did, _ := syntax.ParseDID("did:plc:alice123") 254 254 - authRequest := oauth.AuthRequestData{ 255 255 - State: "test-state-123", 256 256 - AuthServerURL: "https://pds.example.com", 257 257 - AccountDID: &did, 258 258 - Scopes: []string{"atproto", "blob:read"}, 259 259 - RequestURI: "urn:ietf:params:oauth:request_uri:test123", 260 260 - AuthServerTokenEndpoint: "https://pds.example.com/oauth/token", 261 261 - } 262 262 - 263 263 - // Save auth request 264 264 - if err := store.SaveAuthRequestInfo(ctx, authRequest); err != nil { 265 265 - t.Fatalf("SaveAuthRequestInfo() error = %v", err) 266 266 - } 267 267 - 268 268 - // Retrieve auth request 269 269 - retrieved, err := store.GetAuthRequestInfo(ctx, "test-state-123") 270 270 - if err != nil { 271 271 - t.Fatalf("GetAuthRequestInfo() error = %v", err) 272 272 - } 273 273 - 274 274 - if retrieved == nil { 275 275 - t.Fatal("Expected non-nil auth request") 276 276 - } 277 277 - 278 278 - if retrieved.State != authRequest.State { 279 279 - t.Errorf("Expected state %q, got %q", authRequest.State, retrieved.State) 280 280 - } 281 281 - 282 282 - if retrieved.AuthServerURL != authRequest.AuthServerURL { 283 283 - t.Errorf("Expected authServerURL %q, got %q", authRequest.AuthServerURL, retrieved.AuthServerURL) 284 284 - } 285 285 - } 286 286 - 287 287 - func TestFileStore_GetAuthRequestInfo_NotFound(t *testing.T) { 288 288 - tmpDir := t.TempDir() 289 289 - storePath := tmpDir + "/oauth-test.json" 290 290 - 291 291 - store, err := NewFileStore(storePath) 292 292 - if err != nil { 293 293 - t.Fatalf("NewFileStore() error = %v", err) 294 294 - } 295 295 - 296 296 - ctx := context.Background() 297 297 - 298 298 - // Should return error for non-existent request 299 299 - _, err = store.GetAuthRequestInfo(ctx, "nonexistent-state") 300 300 - if err == nil { 301 301 - t.Error("Expected error for non-existent auth request") 302 302 - } 303 303 - } 304 304 - 305 305 - func TestFileStore_DeleteAuthRequestInfo(t *testing.T) { 306 306 - tmpDir := t.TempDir() 307 307 - storePath := tmpDir + "/oauth-test.json" 308 308 - 309 309 - store, err := NewFileStore(storePath) 310 310 - if err != nil { 311 311 - t.Fatalf("NewFileStore() error = %v", err) 312 312 - } 313 313 - 314 314 - ctx := context.Background() 315 315 - 316 316 - // Save auth request 317 317 - authRequest := oauth.AuthRequestData{ 318 318 - State: "test-state-123", 319 319 - AuthServerURL: "https://pds.example.com", 320 320 - } 321 321 - 322 322 - if err := store.SaveAuthRequestInfo(ctx, authRequest); err != nil { 323 323 - t.Fatalf("SaveAuthRequestInfo() error = %v", err) 324 324 - } 325 325 - 326 326 - // Verify it exists 327 327 - if _, err := store.GetAuthRequestInfo(ctx, "test-state-123"); err != nil { 328 328 - t.Fatalf("GetAuthRequestInfo() should succeed before delete, got error: %v", err) 329 329 - } 330 330 - 331 331 - // Delete auth request 332 332 - if err := store.DeleteAuthRequestInfo(ctx, "test-state-123"); err != nil { 333 333 - t.Fatalf("DeleteAuthRequestInfo() error = %v", err) 334 334 - } 335 335 - 336 336 - // Verify it's gone 337 337 - _, err = store.GetAuthRequestInfo(ctx, "test-state-123") 338 338 - if err == nil { 339 339 - t.Error("Expected error after deleting auth request") 340 340 - } 341 341 - } 342 342 - 343 343 - func TestFileStore_ListSessions(t *testing.T) { 344 344 - tmpDir := t.TempDir() 345 345 - storePath := tmpDir + "/oauth-test.json" 346 346 - 347 347 - store, err := NewFileStore(storePath) 348 348 - if err != nil { 349 349 - t.Fatalf("NewFileStore() error = %v", err) 350 350 - } 351 351 - 352 352 - ctx := context.Background() 353 353 - 354 354 - // Initially empty 355 355 - sessions := store.ListSessions() 356 356 - if len(sessions) != 0 { 357 357 - t.Errorf("Expected 0 sessions, got %d", len(sessions)) 358 358 - } 359 359 - 360 360 - // Add multiple sessions 361 361 - did1, _ := syntax.ParseDID("did:plc:alice123") 362 362 - did2, _ := syntax.ParseDID("did:plc:bob456") 363 363 - 364 364 - session1 := oauth.ClientSessionData{ 365 365 - AccountDID: did1, 366 366 - SessionID: "session-1", 367 367 - HostURL: "https://pds1.example.com", 368 368 - } 369 369 - 370 370 - session2 := oauth.ClientSessionData{ 371 371 - AccountDID: did2, 372 372 - SessionID: "session-2", 373 373 - HostURL: "https://pds2.example.com", 374 374 - } 375 375 - 376 376 - if err := store.SaveSession(ctx, session1); err != nil { 377 377 - t.Fatalf("SaveSession() error = %v", err) 378 378 - } 379 379 - 380 380 - if err := store.SaveSession(ctx, session2); err != nil { 381 381 - t.Fatalf("SaveSession() error = %v", err) 382 382 - } 383 383 - 384 384 - // List sessions 385 385 - sessions = store.ListSessions() 386 386 - if len(sessions) != 2 { 387 387 - t.Errorf("Expected 2 sessions, got %d", len(sessions)) 388 388 - } 389 389 - 390 390 - // Verify we got both sessions 391 391 - key1 := makeSessionKey(did1.String(), "session-1") 392 392 - key2 := makeSessionKey(did2.String(), "session-2") 393 393 - 394 394 - if sessions[key1] == nil { 395 395 - t.Error("Expected session1 in list") 396 396 - } 397 397 - 398 398 - if sessions[key2] == nil { 399 399 - t.Error("Expected session2 in list") 400 400 - } 401 401 - } 402 402 - 403 403 - func TestFileStore_Persistence_Across_Instances(t *testing.T) { 404 404 - tmpDir := t.TempDir() 405 405 - storePath := tmpDir + "/oauth-test.json" 406 406 - 407 407 - ctx := context.Background() 408 408 - did, _ := syntax.ParseDID("did:plc:alice123") 409 409 - 410 410 - // Create first store and save data 411 411 - store1, err := NewFileStore(storePath) 412 412 - if err != nil { 413 413 - t.Fatalf("NewFileStore() error = %v", err) 414 414 - } 415 415 - 416 416 - sessionData := oauth.ClientSessionData{ 417 417 - AccountDID: did, 418 418 - SessionID: "persistent-session", 419 419 - HostURL: "https://pds.example.com", 420 420 - } 421 421 - 422 422 - if err := store1.SaveSession(ctx, sessionData); err != nil { 423 423 - t.Fatalf("SaveSession() error = %v", err) 424 424 - } 425 425 - 426 426 - authRequest := oauth.AuthRequestData{ 427 427 - State: "persistent-state", 428 428 - AuthServerURL: "https://pds.example.com", 429 429 - } 430 430 - 431 431 - if err := store1.SaveAuthRequestInfo(ctx, authRequest); err != nil { 432 432 - t.Fatalf("SaveAuthRequestInfo() error = %v", err) 433 433 - } 434 434 - 435 435 - // Create second store from same file 436 436 - store2, err := NewFileStore(storePath) 437 437 - if err != nil { 438 438 - t.Fatalf("Second NewFileStore() error = %v", err) 439 439 - } 440 440 - 441 441 - // Verify session persisted 442 442 - retrievedSession, err := store2.GetSession(ctx, did, "persistent-session") 443 443 - if err != nil { 444 444 - t.Fatalf("GetSession() from second store error = %v", err) 445 445 - } 446 446 - 447 447 - if retrievedSession.SessionID != "persistent-session" { 448 448 - t.Errorf("Expected persistent session ID, got %q", retrievedSession.SessionID) 449 449 - } 450 450 - 451 451 - // Verify auth request persisted 452 452 - retrievedAuth, err := store2.GetAuthRequestInfo(ctx, "persistent-state") 453 453 - if err != nil { 454 454 - t.Fatalf("GetAuthRequestInfo() from second store error = %v", err) 455 455 - } 456 456 - 457 457 - if retrievedAuth.State != "persistent-state" { 458 458 - t.Errorf("Expected persistent state, got %q", retrievedAuth.State) 459 459 - } 460 460 - } 461 461 - 462 462 - func TestFileStore_FileSecurity(t *testing.T) { 463 463 - tmpDir := t.TempDir() 464 464 - storePath := tmpDir + "/oauth-test.json" 465 465 - 466 466 - store, err := NewFileStore(storePath) 467 467 - if err != nil { 468 468 - t.Fatalf("NewFileStore() error = %v", err) 469 469 - } 470 470 - 471 471 - ctx := context.Background() 472 472 - did, _ := syntax.ParseDID("did:plc:alice123") 473 473 - 474 474 - // Save some data to trigger file creation 475 475 - sessionData := oauth.ClientSessionData{ 476 476 - AccountDID: did, 477 477 - SessionID: "test-session", 478 478 - HostURL: "https://pds.example.com", 479 479 - } 480 480 - 481 481 - if err := store.SaveSession(ctx, sessionData); err != nil { 482 482 - t.Fatalf("SaveSession() error = %v", err) 483 483 - } 484 484 - 485 485 - // Check file permissions (should be 0600) 486 486 - info, err := os.Stat(storePath) 487 487 - if err != nil { 488 488 - t.Fatalf("Failed to stat file: %v", err) 489 489 - } 490 490 - 491 491 - mode := info.Mode() 492 492 - if mode.Perm() != 0600 { 493 493 - t.Errorf("Expected file permissions 0600, got %o", mode.Perm()) 494 494 - } 495 495 - } 496 496 - 497 497 - func TestFileStore_JSONFormat(t *testing.T) { 498 498 - tmpDir := t.TempDir() 499 499 - storePath := tmpDir + "/oauth-test.json" 500 500 - 501 501 - store, err := NewFileStore(storePath) 502 502 - if err != nil { 503 503 - t.Fatalf("NewFileStore() error = %v", err) 504 504 - } 505 505 - 506 506 - ctx := context.Background() 507 507 - did, _ := syntax.ParseDID("did:plc:alice123") 508 508 - 509 509 - // Save data 510 510 - sessionData := oauth.ClientSessionData{ 511 511 - AccountDID: did, 512 512 - SessionID: "test-session", 513 513 - HostURL: "https://pds.example.com", 514 514 - } 515 515 - 516 516 - if err := store.SaveSession(ctx, sessionData); err != nil { 517 517 - t.Fatalf("SaveSession() error = %v", err) 518 518 - } 519 519 - 520 520 - // Read and verify JSON format 521 521 - data, err := os.ReadFile(storePath) 522 522 - if err != nil { 523 523 - t.Fatalf("Failed to read file: %v", err) 524 524 - } 525 525 - 526 526 - var storeData FileStoreData 527 527 - if err := json.Unmarshal(data, &storeData); err != nil { 528 528 - t.Fatalf("Failed to parse JSON: %v", err) 529 529 - } 530 530 - 531 531 - if storeData.Sessions == nil { 532 532 - t.Error("Expected sessions in JSON") 533 533 - } 534 534 - 535 535 - if storeData.Requests == nil { 536 536 - t.Error("Expected requests in JSON") 537 537 - } 538 538 - } 539 539 - 540 540 - func TestFileStore_CleanupExpired(t *testing.T) { 541 541 - tmpDir := t.TempDir() 542 542 - storePath := tmpDir + "/oauth-test.json" 543 543 - 544 544 - store, err := NewFileStore(storePath) 545 545 - if err != nil { 546 546 - t.Fatalf("NewFileStore() error = %v", err) 547 547 - } 548 548 - 549 549 - // CleanupExpired should not error even with no data 550 550 - if err := store.CleanupExpired(); err != nil { 551 551 - t.Errorf("CleanupExpired() error = %v", err) 552 552 - } 553 553 - 554 554 - // Note: Current implementation doesn't actually clean anything 555 555 - // since AuthRequestData and ClientSessionData don't have expiry timestamps 556 556 - // This test verifies the method doesn't panic 557 557 - } 558 558 - 559 559 - func TestGetDefaultStorePath(t *testing.T) { 560 560 - path, err := GetDefaultStorePath() 561 561 - if err != nil { 562 562 - t.Fatalf("GetDefaultStorePath() error = %v", err) 563 563 - } 564 564 - 565 565 - if path == "" { 566 566 - t.Fatal("Expected non-empty path") 567 567 - } 568 568 - 569 569 - // Path should either be /var/lib/atcr or ~/.atcr 570 570 - // We can't assert exact path since it depends on permissions 571 571 - t.Logf("Default store path: %s", path) 572 572 - } 573 573 - 574 574 - func TestMakeSessionKey(t *testing.T) { 575 575 - did := "did:plc:alice123" 576 576 - sessionID := "session-456" 577 577 - 578 578 - key := makeSessionKey(did, sessionID) 579 579 - expected := "did:plc:alice123:session-456" 580 580 - 581 581 - if key != expected { 582 582 - t.Errorf("Expected key %q, got %q", expected, key) 583 583 - } 584 584 - } 585 585 - 586 586 - func TestFileStore_ConcurrentAccess(t *testing.T) { 587 587 - tmpDir := t.TempDir() 588 588 - storePath := tmpDir + "/oauth-test.json" 589 589 - 590 590 - store, err := NewFileStore(storePath) 591 591 - if err != nil { 592 592 - t.Fatalf("NewFileStore() error = %v", err) 593 593 - } 594 594 - 595 595 - ctx := context.Background() 596 596 - 597 597 - // Run concurrent operations 598 598 - done := make(chan bool) 599 599 - 600 600 - // Writer goroutine 601 601 - go func() { 602 602 - for i := 0; i < 10; i++ { 603 603 - did, _ := syntax.ParseDID("did:plc:alice123") 604 604 - sessionData := oauth.ClientSessionData{ 605 605 - AccountDID: did, 606 606 - SessionID: "session-1", 607 607 - HostURL: "https://pds.example.com", 608 608 - } 609 609 - store.SaveSession(ctx, sessionData) 610 610 - time.Sleep(1 * time.Millisecond) 611 611 - } 612 612 - done <- true 613 613 - }() 614 614 - 615 615 - // Reader goroutine 616 616 - go func() { 617 617 - for i := 0; i < 10; i++ { 618 618 - did, _ := syntax.ParseDID("did:plc:alice123") 619 619 - store.GetSession(ctx, did, "session-1") 620 620 - time.Sleep(1 * time.Millisecond) 621 621 - } 622 622 - done <- true 623 623 - }() 624 624 - 625 625 - // Wait for both goroutines 626 626 - <-done 627 627 - <-done 628 628 - 629 629 - // If we got here without panicking, the locking works 630 630 - t.Log("Concurrent access test passed") 631 631 - }

+300

pkg/auth/servicetoken.go

··· 1 1 + package auth 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "encoding/base64" 6 6 + "encoding/json" 7 7 + "errors" 8 8 + "fmt" 9 9 + "io" 10 10 + "log/slog" 11 11 + "net/http" 12 12 + "net/url" 13 13 + "strings" 14 14 + "time" 15 15 + 16 16 + "atcr.io/pkg/atproto" 17 17 + "atcr.io/pkg/auth/oauth" 18 18 + "github.com/bluesky-social/indigo/atproto/atclient" 19 19 + indigo_oauth "github.com/bluesky-social/indigo/atproto/auth/oauth" 20 20 + ) 21 21 + 22 22 + // getErrorHint provides context-specific troubleshooting hints based on API error type 23 23 + func getErrorHint(apiErr *atclient.APIError) string { 24 24 + switch apiErr.Name { 25 25 + case "use_dpop_nonce": 26 26 + return "DPoP nonce mismatch - indigo library should automatically retry with new nonce. If this persists, check for concurrent request issues or PDS session corruption." 27 27 + case "invalid_client": 28 28 + if apiErr.Message != "" && apiErr.Message == "Validation of \"client_assertion\" failed: \"iat\" claim timestamp check failed (it should be in the past)" { 29 29 + return "JWT timestamp validation failed - system clock on AppView may be ahead of PDS clock. Check NTP sync with: timedatectl status" 30 30 + } 31 31 + return "OAuth client authentication failed - check client key configuration and PDS OAuth server status" 32 32 + case "invalid_token", "invalid_grant": 33 33 + return "OAuth tokens expired or invalidated - user will need to re-authenticate via OAuth flow" 34 34 + case "server_error": 35 35 + if apiErr.StatusCode == 500 { 36 36 + return "PDS returned internal server error - this may occur after repeated DPoP nonce failures or other PDS-side issues. Check PDS logs for root cause." 37 37 + } 38 38 + return "PDS server error - check PDS health and logs" 39 39 + case "invalid_dpop_proof": 40 40 + return "DPoP proof validation failed - check system clock sync and DPoP key configuration" 41 41 + default: 42 42 + if apiErr.StatusCode == 401 || apiErr.StatusCode == 403 { 43 43 + return "Authentication/authorization failed - OAuth session may be expired or revoked" 44 44 + } 45 45 + return "PDS rejected the request - see errorName and errorMessage for details" 46 46 + } 47 47 + } 48 48 + 49 49 + // ParseJWTExpiry extracts the expiry time from a JWT without verifying the signature 50 50 + // We trust tokens from the user's PDS, so signature verification isn't needed here 51 51 + // Manually decodes the JWT payload to avoid algorithm compatibility issues 52 52 + func ParseJWTExpiry(tokenString string) (time.Time, error) { 53 53 + // JWT format: header.payload.signature 54 54 + parts := strings.Split(tokenString, ".") 55 55 + if len(parts) != 3 { 56 56 + return time.Time{}, fmt.Errorf("invalid JWT format: expected 3 parts, got %d", len(parts)) 57 57 + } 58 58 + 59 59 + // Decode the payload (second part) 60 60 + payload, err := base64.RawURLEncoding.DecodeString(parts[1]) 61 61 + if err != nil { 62 62 + return time.Time{}, fmt.Errorf("failed to decode JWT payload: %w", err) 63 63 + } 64 64 + 65 65 + // Parse the JSON payload 66 66 + var claims struct { 67 67 + Exp int64 `json:"exp"` 68 68 + } 69 69 + if err := json.Unmarshal(payload, &claims); err != nil { 70 70 + return time.Time{}, fmt.Errorf("failed to parse JWT claims: %w", err) 71 71 + } 72 72 + 73 73 + if claims.Exp == 0 { 74 74 + return time.Time{}, fmt.Errorf("JWT missing exp claim") 75 75 + } 76 76 + 77 77 + return time.Unix(claims.Exp, 0), nil 78 78 + } 79 79 + 80 80 + // buildServiceAuthURL constructs the URL for com.atproto.server.getServiceAuth 81 81 + func buildServiceAuthURL(pdsEndpoint, holdDID string) string { 82 82 + // Request 5-minute expiry (PDS may grant less) 83 83 + // exp must be absolute Unix timestamp, not relative duration 84 84 + expiryTime := time.Now().Unix() + 300 // 5 minutes from now 85 85 + return fmt.Sprintf("%s%s?aud=%s&lxm=%s&exp=%d", 86 86 + pdsEndpoint, 87 87 + atproto.ServerGetServiceAuth, 88 88 + url.QueryEscape(holdDID), 89 89 + url.QueryEscape("com.atproto.repo.getRecord"), 90 90 + expiryTime, 91 91 + ) 92 92 + } 93 93 + 94 94 + // parseServiceTokenResponse extracts the token from a service auth response 95 95 + func parseServiceTokenResponse(resp *http.Response) (string, error) { 96 96 + defer resp.Body.Close() 97 97 + 98 98 + if resp.StatusCode != http.StatusOK { 99 99 + bodyBytes, _ := io.ReadAll(resp.Body) 100 100 + return "", fmt.Errorf("service auth failed with status %d: %s", resp.StatusCode, string(bodyBytes)) 101 101 + } 102 102 + 103 103 + var result struct { 104 104 + Token string `json:"token"` 105 105 + } 106 106 + if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { 107 107 + return "", fmt.Errorf("failed to decode service auth response: %w", err) 108 108 + } 109 109 + 110 110 + if result.Token == "" { 111 111 + return "", fmt.Errorf("empty token in service auth response") 112 112 + } 113 113 + 114 114 + return result.Token, nil 115 115 + } 116 116 + 117 117 + // GetOrFetchServiceToken gets a service token for hold authentication. 118 118 + // Handles both OAuth/DPoP and app-password authentication based on authMethod. 119 119 + // Checks cache first, then fetches from PDS if needed. 120 120 + // 121 121 + // For OAuth: Uses DoWithSession() to hold a per-DID lock through the entire PDS interaction. 122 122 + // This prevents DPoP nonce race conditions when multiple Docker layers upload concurrently. 123 123 + // 124 124 + // For app-password: Uses Bearer token authentication without locking (no DPoP complexity). 125 125 + func GetOrFetchServiceToken( 126 126 + ctx context.Context, 127 127 + authMethod string, 128 128 + refresher *oauth.Refresher, // Required for OAuth, nil for app-password 129 129 + did, holdDID, pdsEndpoint string, 130 130 + ) (string, error) { 131 131 + // Check cache first to avoid unnecessary PDS calls on every request 132 132 + cachedToken, expiresAt := GetServiceToken(did, holdDID) 133 133 + 134 134 + // Use cached token if it exists and has > 10s remaining 135 135 + if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 136 136 + slog.Debug("Using cached service token", 137 137 + "did", did, 138 138 + "authMethod", authMethod, 139 139 + "expiresIn", time.Until(expiresAt).Round(time.Second)) 140 140 + return cachedToken, nil 141 141 + } 142 142 + 143 143 + // Cache miss or expiring soon - fetch new service token 144 144 + if cachedToken == "" { 145 145 + slog.Debug("Service token cache miss, fetching new token", "did", did, "authMethod", authMethod) 146 146 + } else { 147 147 + slog.Debug("Service token expiring soon, proactively renewing", "did", did, "authMethod", authMethod) 148 148 + } 149 149 + 150 150 + var serviceToken string 151 151 + var err error 152 152 + 153 153 + // Branch based on auth method 154 154 + if authMethod == AuthMethodOAuth { 155 155 + serviceToken, err = doOAuthFetch(ctx, refresher, did, holdDID, pdsEndpoint) 156 156 + // OAuth-specific cleanup: delete stale session on error 157 157 + if err != nil && refresher != nil { 158 158 + if delErr := refresher.DeleteSession(ctx, did); delErr != nil { 159 159 + slog.Warn("Failed to delete stale OAuth session", 160 160 + "component", "auth/servicetoken", 161 161 + "did", did, 162 162 + "error", delErr) 163 163 + } 164 164 + } 165 165 + } else { 166 166 + serviceToken, err = doAppPasswordFetch(ctx, did, holdDID, pdsEndpoint) 167 167 + } 168 168 + 169 169 + // Unified error handling 170 170 + if err != nil { 171 171 + InvalidateServiceToken(did, holdDID) 172 172 + 173 173 + var apiErr *atclient.APIError 174 174 + if errors.As(err, &apiErr) { 175 175 + slog.Error("Service token request failed", 176 176 + "component", "auth/servicetoken", 177 177 + "authMethod", authMethod, 178 178 + "did", did, 179 179 + "holdDID", holdDID, 180 180 + "pdsEndpoint", pdsEndpoint, 181 181 + "error", err, 182 182 + "httpStatus", apiErr.StatusCode, 183 183 + "errorName", apiErr.Name, 184 184 + "errorMessage", apiErr.Message, 185 185 + "hint", getErrorHint(apiErr)) 186 186 + } else { 187 187 + slog.Error("Service token request failed", 188 188 + "component", "auth/servicetoken", 189 189 + "authMethod", authMethod, 190 190 + "did", did, 191 191 + "holdDID", holdDID, 192 192 + "pdsEndpoint", pdsEndpoint, 193 193 + "error", err) 194 194 + } 195 195 + return "", err 196 196 + } 197 197 + 198 198 + // Cache the token (parses JWT to extract actual expiry) 199 199 + if cacheErr := SetServiceToken(did, holdDID, serviceToken); cacheErr != nil { 200 200 + slog.Warn("Failed to cache service token", "error", cacheErr, "did", did, "holdDID", holdDID) 201 201 + } 202 202 + 203 203 + slog.Debug("Service token obtained", "did", did, "authMethod", authMethod) 204 204 + return serviceToken, nil 205 205 + } 206 206 + 207 207 + // doOAuthFetch fetches a service token using OAuth/DPoP authentication. 208 208 + // Uses DoWithSession() for per-DID locking to prevent DPoP nonce races. 209 209 + // Returns (token, error) without logging - caller handles error logging. 210 210 + func doOAuthFetch( 211 211 + ctx context.Context, 212 212 + refresher *oauth.Refresher, 213 213 + did, holdDID, pdsEndpoint string, 214 214 + ) (string, error) { 215 215 + if refresher == nil { 216 216 + return "", fmt.Errorf("refresher is nil (OAuth session required)") 217 217 + } 218 218 + 219 219 + var serviceToken string 220 220 + var fetchErr error 221 221 + 222 222 + err := refresher.DoWithSession(ctx, did, func(session *indigo_oauth.ClientSession) error { 223 223 + // Double-check cache after acquiring lock (double-checked locking pattern) 224 224 + cachedToken, expiresAt := GetServiceToken(did, holdDID) 225 225 + if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 226 226 + slog.Debug("Service token cache hit after lock acquisition", 227 227 + "did", did, 228 228 + "expiresIn", time.Until(expiresAt).Round(time.Second)) 229 229 + serviceToken = cachedToken 230 230 + return nil 231 231 + } 232 232 + 233 233 + serviceAuthURL := buildServiceAuthURL(pdsEndpoint, holdDID) 234 234 + 235 235 + req, err := http.NewRequestWithContext(ctx, "GET", serviceAuthURL, nil) 236 236 + if err != nil { 237 237 + fetchErr = fmt.Errorf("failed to create request: %w", err) 238 238 + return fetchErr 239 239 + } 240 240 + 241 241 + resp, err := session.DoWithAuth(session.Client, req, "com.atproto.server.getServiceAuth") 242 242 + if err != nil { 243 243 + fetchErr = fmt.Errorf("OAuth request failed: %w", err) 244 244 + return fetchErr 245 245 + } 246 246 + 247 247 + token, parseErr := parseServiceTokenResponse(resp) 248 248 + if parseErr != nil { 249 249 + fetchErr = parseErr 250 250 + return fetchErr 251 251 + } 252 252 + 253 253 + serviceToken = token 254 254 + return nil 255 255 + }) 256 256 + 257 257 + if err != nil { 258 258 + if fetchErr != nil { 259 259 + return "", fetchErr 260 260 + } 261 261 + return "", fmt.Errorf("failed to get OAuth session: %w", err) 262 262 + } 263 263 + 264 264 + return serviceToken, nil 265 265 + } 266 266 + 267 267 + // doAppPasswordFetch fetches a service token using Bearer token authentication. 268 268 + // Returns (token, error) without logging - caller handles error logging. 269 269 + func doAppPasswordFetch( 270 270 + ctx context.Context, 271 271 + did, holdDID, pdsEndpoint string, 272 272 + ) (string, error) { 273 273 + accessToken, ok := GetGlobalTokenCache().Get(did) 274 274 + if !ok { 275 275 + return "", fmt.Errorf("no app-password access token available for DID %s", did) 276 276 + } 277 277 + 278 278 + serviceAuthURL := buildServiceAuthURL(pdsEndpoint, holdDID) 279 279 + 280 280 + req, err := http.NewRequestWithContext(ctx, "GET", serviceAuthURL, nil) 281 281 + if err != nil { 282 282 + return "", fmt.Errorf("failed to create request: %w", err) 283 283 + } 284 284 + 285 285 + req.Header.Set("Authorization", "Bearer "+accessToken) 286 286 + 287 287 + resp, err := http.DefaultClient.Do(req) 288 288 + if err != nil { 289 289 + return "", fmt.Errorf("request failed: %w", err) 290 290 + } 291 291 + 292 292 + if resp.StatusCode == http.StatusUnauthorized { 293 293 + resp.Body.Close() 294 294 + // Clear stale app-password token 295 295 + GetGlobalTokenCache().Delete(did) 296 296 + return "", fmt.Errorf("app-password authentication failed: token expired or invalid") 297 297 + } 298 298 + 299 299 + return parseServiceTokenResponse(resp) 300 300 + }

+27

pkg/auth/servicetoken_test.go

··· 1 1 + package auth 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "testing" 6 6 + ) 7 7 + 8 8 + func TestGetOrFetchServiceToken_NilRefresher(t *testing.T) { 9 9 + ctx := context.Background() 10 10 + did := "did:plc:test123" 11 11 + holdDID := "did:web:hold.example.com" 12 12 + pdsEndpoint := "https://pds.example.com" 13 13 + 14 14 + // Test with nil refresher and OAuth auth method - should return error 15 15 + _, err := GetOrFetchServiceToken(ctx, AuthMethodOAuth, nil, did, holdDID, pdsEndpoint) 16 16 + if err == nil { 17 17 + t.Error("Expected error when refresher is nil for OAuth") 18 18 + } 19 19 + 20 20 + expectedErrMsg := "refresher is nil (OAuth session required)" 21 21 + if err.Error() != expectedErrMsg { 22 22 + t.Errorf("Expected error message %q, got %q", expectedErrMsg, err.Error()) 23 23 + } 24 24 + } 25 25 + 26 26 + // Note: Full tests with mocked OAuth refresher and HTTP client will be added 27 27 + // in the comprehensive test implementation phase

-175

pkg/auth/token/cache.go

··· 1 1 - // Package token provides service token caching and management for AppView. 2 2 - // Service tokens are JWTs issued by a user's PDS to authorize AppView to 3 3 - // act on their behalf when communicating with hold services. Tokens are 4 4 - // cached with automatic expiry parsing and 10-second safety margins. 5 5 - package token 6 6 - 7 7 - import ( 8 8 - "encoding/base64" 9 9 - "encoding/json" 10 10 - "fmt" 11 11 - "log/slog" 12 12 - "strings" 13 13 - "sync" 14 14 - "time" 15 15 - ) 16 16 - 17 17 - // serviceTokenEntry represents a cached service token 18 18 - type serviceTokenEntry struct { 19 19 - token string 20 20 - expiresAt time.Time 21 21 - } 22 22 - 23 23 - // Global cache for service tokens (DID:HoldDID -> token) 24 24 - // Service tokens are JWTs issued by a user's PDS to authorize AppView to act on their behalf 25 25 - // when communicating with hold services. These tokens are scoped to specific holds and have 26 26 - // limited lifetime (typically 60s, can request up to 5min). 27 27 - var ( 28 28 - globalServiceTokens = make(map[string]*serviceTokenEntry) 29 29 - globalServiceTokensMu sync.RWMutex 30 30 - ) 31 31 - 32 32 - // GetServiceToken retrieves a cached service token for the given DID and hold DID 33 33 - // Returns empty string if no valid cached token exists 34 34 - func GetServiceToken(did, holdDID string) (token string, expiresAt time.Time) { 35 35 - cacheKey := did + ":" + holdDID 36 36 - 37 37 - globalServiceTokensMu.RLock() 38 38 - entry, exists := globalServiceTokens[cacheKey] 39 39 - globalServiceTokensMu.RUnlock() 40 40 - 41 41 - if !exists { 42 42 - return "", time.Time{} 43 43 - } 44 44 - 45 45 - // Check if token is still valid 46 46 - if time.Now().After(entry.expiresAt) { 47 47 - // Token expired, remove from cache 48 48 - globalServiceTokensMu.Lock() 49 49 - delete(globalServiceTokens, cacheKey) 50 50 - globalServiceTokensMu.Unlock() 51 51 - return "", time.Time{} 52 52 - } 53 53 - 54 54 - return entry.token, entry.expiresAt 55 55 - } 56 56 - 57 57 - // SetServiceToken stores a service token in the cache 58 58 - // Automatically parses the JWT to extract the expiry time 59 59 - // Applies a 10-second safety margin (cache expires 10s before actual JWT expiry) 60 60 - func SetServiceToken(did, holdDID, token string) error { 61 61 - cacheKey := did + ":" + holdDID 62 62 - 63 63 - // Parse JWT to extract expiry (don't verify signature - we trust the PDS) 64 64 - expiry, err := parseJWTExpiry(token) 65 65 - if err != nil { 66 66 - // If parsing fails, use default 50s TTL (conservative fallback) 67 67 - slog.Warn("Failed to parse JWT expiry, using default 50s", "error", err, "cacheKey", cacheKey) 68 68 - expiry = time.Now().Add(50 * time.Second) 69 69 - } else { 70 70 - // Apply 10s safety margin to avoid using nearly-expired tokens 71 71 - expiry = expiry.Add(-10 * time.Second) 72 72 - } 73 73 - 74 74 - globalServiceTokensMu.Lock() 75 75 - globalServiceTokens[cacheKey] = &serviceTokenEntry{ 76 76 - token: token, 77 77 - expiresAt: expiry, 78 78 - } 79 79 - globalServiceTokensMu.Unlock() 80 80 - 81 81 - slog.Debug("Cached service token", 82 82 - "cacheKey", cacheKey, 83 83 - "expiresIn", time.Until(expiry).Round(time.Second)) 84 84 - 85 85 - return nil 86 86 - } 87 87 - 88 88 - // parseJWTExpiry extracts the expiry time from a JWT without verifying the signature 89 89 - // We trust tokens from the user's PDS, so signature verification isn't needed here 90 90 - // Manually decodes the JWT payload to avoid algorithm compatibility issues 91 91 - func parseJWTExpiry(tokenString string) (time.Time, error) { 92 92 - // JWT format: header.payload.signature 93 93 - parts := strings.Split(tokenString, ".") 94 94 - if len(parts) != 3 { 95 95 - return time.Time{}, fmt.Errorf("invalid JWT format: expected 3 parts, got %d", len(parts)) 96 96 - } 97 97 - 98 98 - // Decode the payload (second part) 99 99 - payload, err := base64.RawURLEncoding.DecodeString(parts[1]) 100 100 - if err != nil { 101 101 - return time.Time{}, fmt.Errorf("failed to decode JWT payload: %w", err) 102 102 - } 103 103 - 104 104 - // Parse the JSON payload 105 105 - var claims struct { 106 106 - Exp int64 `json:"exp"` 107 107 - } 108 108 - if err := json.Unmarshal(payload, &claims); err != nil { 109 109 - return time.Time{}, fmt.Errorf("failed to parse JWT claims: %w", err) 110 110 - } 111 111 - 112 112 - if claims.Exp == 0 { 113 113 - return time.Time{}, fmt.Errorf("JWT missing exp claim") 114 114 - } 115 115 - 116 116 - return time.Unix(claims.Exp, 0), nil 117 117 - } 118 118 - 119 119 - // InvalidateServiceToken removes a service token from the cache 120 120 - // Used when we detect that a token is invalid or the user's session has expired 121 121 - func InvalidateServiceToken(did, holdDID string) { 122 122 - cacheKey := did + ":" + holdDID 123 123 - 124 124 - globalServiceTokensMu.Lock() 125 125 - delete(globalServiceTokens, cacheKey) 126 126 - globalServiceTokensMu.Unlock() 127 127 - 128 128 - slog.Debug("Invalidated service token", "cacheKey", cacheKey) 129 129 - } 130 130 - 131 131 - // GetCacheStats returns statistics about the service token cache for debugging 132 132 - func GetCacheStats() map[string]any { 133 133 - globalServiceTokensMu.RLock() 134 134 - defer globalServiceTokensMu.RUnlock() 135 135 - 136 136 - validCount := 0 137 137 - expiredCount := 0 138 138 - now := time.Now() 139 139 - 140 140 - for _, entry := range globalServiceTokens { 141 141 - if now.Before(entry.expiresAt) { 142 142 - validCount++ 143 143 - } else { 144 144 - expiredCount++ 145 145 - } 146 146 - } 147 147 - 148 148 - return map[string]any{ 149 149 - "total_entries": len(globalServiceTokens), 150 150 - "valid_tokens": validCount, 151 151 - "expired_tokens": expiredCount, 152 152 - } 153 153 - } 154 154 - 155 155 - // CleanExpiredTokens removes expired tokens from the cache 156 156 - // Can be called periodically to prevent unbounded growth (though expired tokens 157 157 - // are also removed lazily on access) 158 158 - func CleanExpiredTokens() { 159 159 - globalServiceTokensMu.Lock() 160 160 - defer globalServiceTokensMu.Unlock() 161 161 - 162 162 - now := time.Now() 163 163 - removed := 0 164 164 - 165 165 - for key, entry := range globalServiceTokens { 166 166 - if now.After(entry.expiresAt) { 167 167 - delete(globalServiceTokens, key) 168 168 - removed++ 169 169 - } 170 170 - } 171 171 - 172 172 - if removed > 0 { 173 173 - slog.Debug("Cleaned expired service tokens", "count", removed) 174 174 - } 175 175 - }

-195

pkg/auth/token/cache_test.go

··· 1 1 - package token 2 2 - 3 3 - import ( 4 4 - "testing" 5 5 - "time" 6 6 - ) 7 7 - 8 8 - func TestGetServiceToken_NotCached(t *testing.T) { 9 9 - // Clear cache first 10 10 - globalServiceTokensMu.Lock() 11 11 - globalServiceTokens = make(map[string]*serviceTokenEntry) 12 12 - globalServiceTokensMu.Unlock() 13 13 - 14 14 - did := "did:plc:test123" 15 15 - holdDID := "did:web:hold.example.com" 16 16 - 17 17 - token, expiresAt := GetServiceToken(did, holdDID) 18 18 - if token != "" { 19 19 - t.Errorf("Expected empty token for uncached entry, got %q", token) 20 20 - } 21 21 - if !expiresAt.IsZero() { 22 22 - t.Error("Expected zero time for uncached entry") 23 23 - } 24 24 - } 25 25 - 26 26 - func TestSetServiceToken_ManualExpiry(t *testing.T) { 27 27 - // Clear cache first 28 28 - globalServiceTokensMu.Lock() 29 29 - globalServiceTokens = make(map[string]*serviceTokenEntry) 30 30 - globalServiceTokensMu.Unlock() 31 31 - 32 32 - did := "did:plc:test123" 33 33 - holdDID := "did:web:hold.example.com" 34 34 - token := "invalid_jwt_token" // Will fall back to 50s default 35 35 - 36 36 - // This should succeed with default 50s TTL since JWT parsing will fail 37 37 - err := SetServiceToken(did, holdDID, token) 38 38 - if err != nil { 39 39 - t.Fatalf("SetServiceToken() error = %v", err) 40 40 - } 41 41 - 42 42 - // Verify token was cached 43 43 - cachedToken, expiresAt := GetServiceToken(did, holdDID) 44 44 - if cachedToken != token { 45 45 - t.Errorf("Expected token %q, got %q", token, cachedToken) 46 46 - } 47 47 - if expiresAt.IsZero() { 48 48 - t.Error("Expected non-zero expiry time") 49 49 - } 50 50 - 51 51 - // Expiry should be approximately 50s from now (with 10s margin subtracted in some cases) 52 52 - expectedExpiry := time.Now().Add(50 * time.Second) 53 53 - diff := expiresAt.Sub(expectedExpiry) 54 54 - if diff < -5*time.Second || diff > 5*time.Second { 55 55 - t.Errorf("Expiry time off by %v (expected ~50s from now)", diff) 56 56 - } 57 57 - } 58 58 - 59 59 - func TestGetServiceToken_Expired(t *testing.T) { 60 60 - // Manually insert an expired token 61 61 - did := "did:plc:test123" 62 62 - holdDID := "did:web:hold.example.com" 63 63 - cacheKey := did + ":" + holdDID 64 64 - 65 65 - globalServiceTokensMu.Lock() 66 66 - globalServiceTokens[cacheKey] = &serviceTokenEntry{ 67 67 - token: "expired_token", 68 68 - expiresAt: time.Now().Add(-1 * time.Hour), // 1 hour ago 69 69 - } 70 70 - globalServiceTokensMu.Unlock() 71 71 - 72 72 - // Try to get - should return empty since expired 73 73 - token, expiresAt := GetServiceToken(did, holdDID) 74 74 - if token != "" { 75 75 - t.Errorf("Expected empty token for expired entry, got %q", token) 76 76 - } 77 77 - if !expiresAt.IsZero() { 78 78 - t.Error("Expected zero time for expired entry") 79 79 - } 80 80 - 81 81 - // Verify token was removed from cache 82 82 - globalServiceTokensMu.RLock() 83 83 - _, exists := globalServiceTokens[cacheKey] 84 84 - globalServiceTokensMu.RUnlock() 85 85 - 86 86 - if exists { 87 87 - t.Error("Expected expired token to be removed from cache") 88 88 - } 89 89 - } 90 90 - 91 91 - func TestInvalidateServiceToken(t *testing.T) { 92 92 - // Set a token 93 93 - did := "did:plc:test123" 94 94 - holdDID := "did:web:hold.example.com" 95 95 - token := "test_token" 96 96 - 97 97 - err := SetServiceToken(did, holdDID, token) 98 98 - if err != nil { 99 99 - t.Fatalf("SetServiceToken() error = %v", err) 100 100 - } 101 101 - 102 102 - // Verify it's cached 103 103 - cachedToken, _ := GetServiceToken(did, holdDID) 104 104 - if cachedToken != token { 105 105 - t.Fatal("Token should be cached") 106 106 - } 107 107 - 108 108 - // Invalidate 109 109 - InvalidateServiceToken(did, holdDID) 110 110 - 111 111 - // Verify it's gone 112 112 - cachedToken, _ = GetServiceToken(did, holdDID) 113 113 - if cachedToken != "" { 114 114 - t.Error("Expected token to be invalidated") 115 115 - } 116 116 - } 117 117 - 118 118 - func TestCleanExpiredTokens(t *testing.T) { 119 119 - // Clear cache first 120 120 - globalServiceTokensMu.Lock() 121 121 - globalServiceTokens = make(map[string]*serviceTokenEntry) 122 122 - globalServiceTokensMu.Unlock() 123 123 - 124 124 - // Add expired and valid tokens 125 125 - globalServiceTokensMu.Lock() 126 126 - globalServiceTokens["expired:hold1"] = &serviceTokenEntry{ 127 127 - token: "expired1", 128 128 - expiresAt: time.Now().Add(-1 * time.Hour), 129 129 - } 130 130 - globalServiceTokens["valid:hold2"] = &serviceTokenEntry{ 131 131 - token: "valid1", 132 132 - expiresAt: time.Now().Add(1 * time.Hour), 133 133 - } 134 134 - globalServiceTokensMu.Unlock() 135 135 - 136 136 - // Clean expired 137 137 - CleanExpiredTokens() 138 138 - 139 139 - // Verify only valid token remains 140 140 - globalServiceTokensMu.RLock() 141 141 - _, expiredExists := globalServiceTokens["expired:hold1"] 142 142 - _, validExists := globalServiceTokens["valid:hold2"] 143 143 - globalServiceTokensMu.RUnlock() 144 144 - 145 145 - if expiredExists { 146 146 - t.Error("Expected expired token to be removed") 147 147 - } 148 148 - if !validExists { 149 149 - t.Error("Expected valid token to remain") 150 150 - } 151 151 - } 152 152 - 153 153 - func TestGetCacheStats(t *testing.T) { 154 154 - // Clear cache first 155 155 - globalServiceTokensMu.Lock() 156 156 - globalServiceTokens = make(map[string]*serviceTokenEntry) 157 157 - globalServiceTokensMu.Unlock() 158 158 - 159 159 - // Add some tokens 160 160 - globalServiceTokensMu.Lock() 161 161 - globalServiceTokens["did1:hold1"] = &serviceTokenEntry{ 162 162 - token: "token1", 163 163 - expiresAt: time.Now().Add(1 * time.Hour), 164 164 - } 165 165 - globalServiceTokens["did2:hold2"] = &serviceTokenEntry{ 166 166 - token: "token2", 167 167 - expiresAt: time.Now().Add(1 * time.Hour), 168 168 - } 169 169 - globalServiceTokensMu.Unlock() 170 170 - 171 171 - stats := GetCacheStats() 172 172 - if stats == nil { 173 173 - t.Fatal("Expected non-nil stats") 174 174 - } 175 175 - 176 176 - // GetCacheStats returns map[string]any with "total_entries" key 177 177 - totalEntries, ok := stats["total_entries"].(int) 178 178 - if !ok { 179 179 - t.Fatalf("Expected total_entries in stats map, got: %v", stats) 180 180 - } 181 181 - 182 182 - if totalEntries != 2 { 183 183 - t.Errorf("Expected 2 entries, got %d", totalEntries) 184 184 - } 185 185 - 186 186 - // Also check valid_tokens 187 187 - validTokens, ok := stats["valid_tokens"].(int) 188 188 - if !ok { 189 189 - t.Fatal("Expected valid_tokens in stats map") 190 190 - } 191 191 - 192 192 - if validTokens != 2 { 193 193 - t.Errorf("Expected 2 valid tokens, got %d", validTokens) 194 194 - } 195 195 - }

+19

pkg/auth/token/claims.go

··· 56 56 57 57 return claims.AuthMethod 58 58 } 59 59 + 60 60 + // ExtractSubject parses a JWT token string and extracts the Subject claim (the user's DID) 61 61 + // Returns the subject or empty string if not found or token is invalid 62 62 + // This does NOT validate the token - it only parses it to extract the claim 63 63 + func ExtractSubject(tokenString string) string { 64 64 + // Parse token without validation (we only need the claims, validation is done by distribution library) 65 65 + parser := jwt.NewParser(jwt.WithoutClaimsValidation()) 66 66 + token, _, err := parser.ParseUnverified(tokenString, &Claims{}) 67 67 + if err != nil { 68 68 + return "" // Invalid token format 69 69 + } 70 70 + 71 71 + claims, ok := token.Claims.(*Claims) 72 72 + if !ok { 73 73 + return "" // Wrong claims type 74 74 + } 75 75 + 76 76 + return claims.Subject 77 77 + }

-362

pkg/auth/token/servicetoken.go

··· 1 1 - package token 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - "encoding/json" 6 6 - "errors" 7 7 - "fmt" 8 8 - "io" 9 9 - "log/slog" 10 10 - "net/http" 11 11 - "net/url" 12 12 - "time" 13 13 - 14 14 - "atcr.io/pkg/atproto" 15 15 - "atcr.io/pkg/auth" 16 16 - "atcr.io/pkg/auth/oauth" 17 17 - "github.com/bluesky-social/indigo/atproto/atclient" 18 18 - indigo_oauth "github.com/bluesky-social/indigo/atproto/auth/oauth" 19 19 - ) 20 20 - 21 21 - // getErrorHint provides context-specific troubleshooting hints based on API error type 22 22 - func getErrorHint(apiErr *atclient.APIError) string { 23 23 - switch apiErr.Name { 24 24 - case "use_dpop_nonce": 25 25 - return "DPoP nonce mismatch - indigo library should automatically retry with new nonce. If this persists, check for concurrent request issues or PDS session corruption." 26 26 - case "invalid_client": 27 27 - if apiErr.Message != "" && apiErr.Message == "Validation of \"client_assertion\" failed: \"iat\" claim timestamp check failed (it should be in the past)" { 28 28 - return "JWT timestamp validation failed - system clock on AppView may be ahead of PDS clock. Check NTP sync with: timedatectl status" 29 29 - } 30 30 - return "OAuth client authentication failed - check client key configuration and PDS OAuth server status" 31 31 - case "invalid_token", "invalid_grant": 32 32 - return "OAuth tokens expired or invalidated - user will need to re-authenticate via OAuth flow" 33 33 - case "server_error": 34 34 - if apiErr.StatusCode == 500 { 35 35 - return "PDS returned internal server error - this may occur after repeated DPoP nonce failures or other PDS-side issues. Check PDS logs for root cause." 36 36 - } 37 37 - return "PDS server error - check PDS health and logs" 38 38 - case "invalid_dpop_proof": 39 39 - return "DPoP proof validation failed - check system clock sync and DPoP key configuration" 40 40 - default: 41 41 - if apiErr.StatusCode == 401 || apiErr.StatusCode == 403 { 42 42 - return "Authentication/authorization failed - OAuth session may be expired or revoked" 43 43 - } 44 44 - return "PDS rejected the request - see errorName and errorMessage for details" 45 45 - } 46 46 - } 47 47 - 48 48 - // GetOrFetchServiceToken gets a service token for hold authentication. 49 49 - // Checks cache first, then fetches from PDS with OAuth/DPoP if needed. 50 50 - // This is the canonical implementation used by both middleware and crew registration. 51 51 - // 52 52 - // IMPORTANT: Uses DoWithSession() to hold a per-DID lock through the entire PDS interaction. 53 53 - // This prevents DPoP nonce race conditions when multiple Docker layers upload concurrently. 54 54 - func GetOrFetchServiceToken( 55 55 - ctx context.Context, 56 56 - refresher *oauth.Refresher, 57 57 - did, holdDID, pdsEndpoint string, 58 58 - ) (string, error) { 59 59 - if refresher == nil { 60 60 - return "", fmt.Errorf("refresher is nil (OAuth session required for service tokens)") 61 61 - } 62 62 - 63 63 - // Check cache first to avoid unnecessary PDS calls on every request 64 64 - cachedToken, expiresAt := GetServiceToken(did, holdDID) 65 65 - 66 66 - // Use cached token if it exists and has > 10s remaining 67 67 - if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 68 68 - slog.Debug("Using cached service token", 69 69 - "did", did, 70 70 - "expiresIn", time.Until(expiresAt).Round(time.Second)) 71 71 - return cachedToken, nil 72 72 - } 73 73 - 74 74 - // Cache miss or expiring soon - validate OAuth and get new service token 75 75 - if cachedToken == "" { 76 76 - slog.Debug("Service token cache miss, fetching new token", "did", did) 77 77 - } else { 78 78 - slog.Debug("Service token expiring soon, proactively renewing", "did", did) 79 79 - } 80 80 - 81 81 - // Use DoWithSession to hold the lock through the entire PDS interaction. 82 82 - // This prevents DPoP nonce races when multiple goroutines try to fetch service tokens. 83 83 - var serviceToken string 84 84 - var fetchErr error 85 85 - 86 86 - err := refresher.DoWithSession(ctx, did, func(session *indigo_oauth.ClientSession) error { 87 87 - // Double-check cache after acquiring lock - another goroutine may have 88 88 - // populated it while we were waiting (classic double-checked locking pattern) 89 89 - cachedToken, expiresAt := GetServiceToken(did, holdDID) 90 90 - if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 91 91 - slog.Debug("Service token cache hit after lock acquisition", 92 92 - "did", did, 93 93 - "expiresIn", time.Until(expiresAt).Round(time.Second)) 94 94 - serviceToken = cachedToken 95 95 - return nil 96 96 - } 97 97 - 98 98 - // Cache still empty/expired - proceed with PDS call 99 99 - // Request 5-minute expiry (PDS may grant less) 100 100 - // exp must be absolute Unix timestamp, not relative duration 101 101 - // Note: OAuth scope includes #atcr_hold fragment, but service auth aud must be bare DID 102 102 - expiryTime := time.Now().Unix() + 300 // 5 minutes from now 103 103 - serviceAuthURL := fmt.Sprintf("%s%s?aud=%s&lxm=%s&exp=%d", 104 104 - pdsEndpoint, 105 105 - atproto.ServerGetServiceAuth, 106 106 - url.QueryEscape(holdDID), 107 107 - url.QueryEscape("com.atproto.repo.getRecord"), 108 108 - expiryTime, 109 109 - ) 110 110 - 111 111 - req, err := http.NewRequestWithContext(ctx, "GET", serviceAuthURL, nil) 112 112 - if err != nil { 113 113 - fetchErr = fmt.Errorf("failed to create service auth request: %w", err) 114 114 - return fetchErr 115 115 - } 116 116 - 117 117 - // Use OAuth session to authenticate to PDS (with DPoP) 118 118 - // The lock is held, so DPoP nonce negotiation is serialized per-DID 119 119 - resp, err := session.DoWithAuth(session.Client, req, "com.atproto.server.getServiceAuth") 120 120 - if err != nil { 121 121 - // Auth error - may indicate expired tokens or corrupted session 122 122 - InvalidateServiceToken(did, holdDID) 123 123 - 124 124 - // Inspect the error to extract detailed information from indigo's APIError 125 125 - var apiErr *atclient.APIError 126 126 - if errors.As(err, &apiErr) { 127 127 - // Log detailed API error information 128 128 - slog.Error("OAuth authentication failed during service token request", 129 129 - "component", "token/servicetoken", 130 130 - "did", did, 131 131 - "holdDID", holdDID, 132 132 - "pdsEndpoint", pdsEndpoint, 133 133 - "url", serviceAuthURL, 134 134 - "error", err, 135 135 - "httpStatus", apiErr.StatusCode, 136 136 - "errorName", apiErr.Name, 137 137 - "errorMessage", apiErr.Message, 138 138 - "hint", getErrorHint(apiErr)) 139 139 - } else { 140 140 - // Fallback for non-API errors (network errors, etc.) 141 141 - slog.Error("OAuth authentication failed during service token request", 142 142 - "component", "token/servicetoken", 143 143 - "did", did, 144 144 - "holdDID", holdDID, 145 145 - "pdsEndpoint", pdsEndpoint, 146 146 - "url", serviceAuthURL, 147 147 - "error", err, 148 148 - "errorType", fmt.Sprintf("%T", err), 149 149 - "hint", "Network error or unexpected failure during OAuth request") 150 150 - } 151 151 - 152 152 - fetchErr = fmt.Errorf("OAuth validation failed: %w", err) 153 153 - return fetchErr 154 154 - } 155 155 - defer resp.Body.Close() 156 156 - 157 157 - if resp.StatusCode != http.StatusOK { 158 158 - // Service auth failed 159 159 - bodyBytes, _ := io.ReadAll(resp.Body) 160 160 - InvalidateServiceToken(did, holdDID) 161 161 - slog.Error("Service token request returned non-200 status", 162 162 - "component", "token/servicetoken", 163 163 - "did", did, 164 164 - "holdDID", holdDID, 165 165 - "pdsEndpoint", pdsEndpoint, 166 166 - "statusCode", resp.StatusCode, 167 167 - "responseBody", string(bodyBytes), 168 168 - "hint", "PDS rejected the service token request - check PDS logs for details") 169 169 - fetchErr = fmt.Errorf("service auth failed with status %d: %s", resp.StatusCode, string(bodyBytes)) 170 170 - return fetchErr 171 171 - } 172 172 - 173 173 - // Parse response to get service token 174 174 - var result struct { 175 175 - Token string `json:"token"` 176 176 - } 177 177 - if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { 178 178 - fetchErr = fmt.Errorf("failed to decode service auth response: %w", err) 179 179 - return fetchErr 180 180 - } 181 181 - 182 182 - if result.Token == "" { 183 183 - fetchErr = fmt.Errorf("empty token in service auth response") 184 184 - return fetchErr 185 185 - } 186 186 - 187 187 - serviceToken = result.Token 188 188 - return nil 189 189 - }) 190 190 - 191 191 - if err != nil { 192 192 - // DoWithSession failed (session load or callback error) 193 193 - InvalidateServiceToken(did, holdDID) 194 194 - 195 195 - // Try to extract detailed error information 196 196 - var apiErr *atclient.APIError 197 197 - if errors.As(err, &apiErr) { 198 198 - slog.Error("Failed to get OAuth session for service token", 199 199 - "component", "token/servicetoken", 200 200 - "did", did, 201 201 - "holdDID", holdDID, 202 202 - "pdsEndpoint", pdsEndpoint, 203 203 - "error", err, 204 204 - "httpStatus", apiErr.StatusCode, 205 205 - "errorName", apiErr.Name, 206 206 - "errorMessage", apiErr.Message, 207 207 - "hint", getErrorHint(apiErr)) 208 208 - } else if fetchErr == nil { 209 209 - // Session load failed (not a fetch error) 210 210 - slog.Error("Failed to get OAuth session for service token", 211 211 - "component", "token/servicetoken", 212 212 - "did", did, 213 213 - "holdDID", holdDID, 214 214 - "pdsEndpoint", pdsEndpoint, 215 215 - "error", err, 216 216 - "errorType", fmt.Sprintf("%T", err), 217 217 - "hint", "OAuth session not found in database or token refresh failed") 218 218 - } 219 219 - 220 220 - // Delete the stale OAuth session to force re-authentication 221 221 - // This also invalidates the UI session automatically 222 222 - if delErr := refresher.DeleteSession(ctx, did); delErr != nil { 223 223 - slog.Warn("Failed to delete stale OAuth session", 224 224 - "component", "token/servicetoken", 225 225 - "did", did, 226 226 - "error", delErr) 227 227 - } 228 228 - 229 229 - if fetchErr != nil { 230 230 - return "", fetchErr 231 231 - } 232 232 - return "", fmt.Errorf("failed to get OAuth session: %w", err) 233 233 - } 234 234 - 235 235 - // Cache the token (parses JWT to extract actual expiry) 236 236 - if err := SetServiceToken(did, holdDID, serviceToken); err != nil { 237 237 - slog.Warn("Failed to cache service token", "error", err, "did", did, "holdDID", holdDID) 238 238 - // Non-fatal - we have the token, just won't be cached 239 239 - } 240 240 - 241 241 - slog.Debug("OAuth validation succeeded, service token obtained", "did", did) 242 242 - return serviceToken, nil 243 243 - } 244 244 - 245 245 - // GetOrFetchServiceTokenWithAppPassword gets a service token using app-password Bearer authentication. 246 246 - // Used when auth method is app_password instead of OAuth. 247 247 - func GetOrFetchServiceTokenWithAppPassword( 248 248 - ctx context.Context, 249 249 - did, holdDID, pdsEndpoint string, 250 250 - ) (string, error) { 251 251 - // Check cache first to avoid unnecessary PDS calls on every request 252 252 - cachedToken, expiresAt := GetServiceToken(did, holdDID) 253 253 - 254 254 - // Use cached token if it exists and has > 10s remaining 255 255 - if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 256 256 - slog.Debug("Using cached service token (app-password)", 257 257 - "did", did, 258 258 - "expiresIn", time.Until(expiresAt).Round(time.Second)) 259 259 - return cachedToken, nil 260 260 - } 261 261 - 262 262 - // Cache miss or expiring soon - get app-password token and fetch new service token 263 263 - if cachedToken == "" { 264 264 - slog.Debug("Service token cache miss, fetching new token with app-password", "did", did) 265 265 - } else { 266 266 - slog.Debug("Service token expiring soon, proactively renewing with app-password", "did", did) 267 267 - } 268 268 - 269 269 - // Get app-password access token from cache 270 270 - accessToken, ok := auth.GetGlobalTokenCache().Get(did) 271 271 - if !ok { 272 272 - InvalidateServiceToken(did, holdDID) 273 273 - slog.Error("No app-password access token found in cache", 274 274 - "component", "token/servicetoken", 275 275 - "did", did, 276 276 - "holdDID", holdDID, 277 277 - "hint", "User must re-authenticate with docker login") 278 278 - return "", fmt.Errorf("no app-password access token available for DID %s", did) 279 279 - } 280 280 - 281 281 - // Call com.atproto.server.getServiceAuth on the user's PDS with Bearer token 282 282 - // Request 5-minute expiry (PDS may grant less) 283 283 - // exp must be absolute Unix timestamp, not relative duration 284 284 - expiryTime := time.Now().Unix() + 300 // 5 minutes from now 285 285 - serviceAuthURL := fmt.Sprintf("%s%s?aud=%s&lxm=%s&exp=%d", 286 286 - pdsEndpoint, 287 287 - atproto.ServerGetServiceAuth, 288 288 - url.QueryEscape(holdDID), 289 289 - url.QueryEscape("com.atproto.repo.getRecord"), 290 290 - expiryTime, 291 291 - ) 292 292 - 293 293 - req, err := http.NewRequestWithContext(ctx, "GET", serviceAuthURL, nil) 294 294 - if err != nil { 295 295 - return "", fmt.Errorf("failed to create service auth request: %w", err) 296 296 - } 297 297 - 298 298 - // Set Bearer token authentication (app-password) 299 299 - req.Header.Set("Authorization", "Bearer "+accessToken) 300 300 - 301 301 - // Make request with standard HTTP client 302 302 - resp, err := http.DefaultClient.Do(req) 303 303 - if err != nil { 304 304 - InvalidateServiceToken(did, holdDID) 305 305 - slog.Error("App-password service token request failed", 306 306 - "component", "token/servicetoken", 307 307 - "did", did, 308 308 - "holdDID", holdDID, 309 309 - "pdsEndpoint", pdsEndpoint, 310 310 - "error", err) 311 311 - return "", fmt.Errorf("failed to request service token: %w", err) 312 312 - } 313 313 - defer resp.Body.Close() 314 314 - 315 315 - if resp.StatusCode == http.StatusUnauthorized { 316 316 - // App-password token is invalid or expired - clear from cache 317 317 - auth.GetGlobalTokenCache().Delete(did) 318 318 - InvalidateServiceToken(did, holdDID) 319 319 - slog.Error("App-password token rejected by PDS", 320 320 - "component", "token/servicetoken", 321 321 - "did", did, 322 322 - "hint", "User must re-authenticate with docker login") 323 323 - return "", fmt.Errorf("app-password authentication failed: token expired or invalid") 324 324 - } 325 325 - 326 326 - if resp.StatusCode != http.StatusOK { 327 327 - // Service auth failed 328 328 - bodyBytes, _ := io.ReadAll(resp.Body) 329 329 - InvalidateServiceToken(did, holdDID) 330 330 - slog.Error("Service token request returned non-200 status (app-password)", 331 331 - "component", "token/servicetoken", 332 332 - "did", did, 333 333 - "holdDID", holdDID, 334 334 - "pdsEndpoint", pdsEndpoint, 335 335 - "statusCode", resp.StatusCode, 336 336 - "responseBody", string(bodyBytes)) 337 337 - return "", fmt.Errorf("service auth failed with status %d: %s", resp.StatusCode, string(bodyBytes)) 338 338 - } 339 339 - 340 340 - // Parse response to get service token 341 341 - var result struct { 342 342 - Token string `json:"token"` 343 343 - } 344 344 - if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { 345 345 - return "", fmt.Errorf("failed to decode service auth response: %w", err) 346 346 - } 347 347 - 348 348 - if result.Token == "" { 349 349 - return "", fmt.Errorf("empty token in service auth response") 350 350 - } 351 351 - 352 352 - serviceToken := result.Token 353 353 - 354 354 - // Cache the token (parses JWT to extract actual expiry) 355 355 - if err := SetServiceToken(did, holdDID, serviceToken); err != nil { 356 356 - slog.Warn("Failed to cache service token", "error", err, "did", did, "holdDID", holdDID) 357 357 - // Non-fatal - we have the token, just won't be cached 358 358 - } 359 359 - 360 360 - slog.Debug("App-password validation succeeded, service token obtained", "did", did) 361 361 - return serviceToken, nil 362 362 - }

-27

pkg/auth/token/servicetoken_test.go

··· 1 1 - package token 2 2 - 3 3 - import ( 4 4 - "context" 5 5 - "testing" 6 6 - ) 7 7 - 8 8 - func TestGetOrFetchServiceToken_NilRefresher(t *testing.T) { 9 9 - ctx := context.Background() 10 10 - did := "did:plc:test123" 11 11 - holdDID := "did:web:hold.example.com" 12 12 - pdsEndpoint := "https://pds.example.com" 13 13 - 14 14 - // Test with nil refresher - should return error 15 15 - _, err := GetOrFetchServiceToken(ctx, nil, did, holdDID, pdsEndpoint) 16 16 - if err == nil { 17 17 - t.Error("Expected error when refresher is nil") 18 18 - } 19 19 - 20 20 - expectedErrMsg := "refresher is nil" 21 21 - if err.Error() != "refresher is nil (OAuth session required for service tokens)" { 22 22 - t.Errorf("Expected error message to contain %q, got %q", expectedErrMsg, err.Error()) 23 23 - } 24 24 - } 25 25 - 26 26 - // Note: Full tests with mocked OAuth refresher and HTTP client will be added 27 27 - // in the comprehensive test implementation phase

+784

pkg/auth/usercontext.go

··· 1 1 + // Package auth provides UserContext for managing authenticated user state 2 2 + // throughout request handling in the AppView. 3 3 + package auth 4 4 + 5 5 + import ( 6 6 + "context" 7 7 + "database/sql" 8 8 + "encoding/json" 9 9 + "fmt" 10 10 + "io" 11 11 + "log/slog" 12 12 + "net/http" 13 13 + "sync" 14 14 + "time" 15 15 + 16 16 + "atcr.io/pkg/appview/db" 17 17 + "atcr.io/pkg/atproto" 18 18 + "atcr.io/pkg/auth/oauth" 19 19 + ) 20 20 + 21 21 + // Auth method constants (duplicated from token package to avoid import cycle) 22 22 + const ( 23 23 + AuthMethodOAuth = "oauth" 24 24 + AuthMethodAppPassword = "app_password" 25 25 + ) 26 26 + 27 27 + // RequestAction represents the type of registry operation 28 28 + type RequestAction int 29 29 + 30 30 + const ( 31 31 + ActionUnknown RequestAction = iota 32 32 + ActionPull // GET/HEAD - reading from registry 33 33 + ActionPush // PUT/POST/DELETE - writing to registry 34 34 + ActionInspect // Metadata operations only 35 35 + ) 36 36 + 37 37 + func (a RequestAction) String() string { 38 38 + switch a { 39 39 + case ActionPull: 40 40 + return "pull" 41 41 + case ActionPush: 42 42 + return "push" 43 43 + case ActionInspect: 44 44 + return "inspect" 45 45 + default: 46 46 + return "unknown" 47 47 + } 48 48 + } 49 49 + 50 50 + // HoldPermissions describes what the user can do on a specific hold 51 51 + type HoldPermissions struct { 52 52 + HoldDID string // Hold being checked 53 53 + IsOwner bool // User is captain of this hold 54 54 + IsCrew bool // User is a crew member 55 55 + IsPublic bool // Hold allows public reads 56 56 + CanRead bool // Computed: can user read blobs? 57 57 + CanWrite bool // Computed: can user write blobs? 58 58 + CanAdmin bool // Computed: can user manage crew? 59 59 + Permissions []string // Raw permissions from crew record 60 60 + } 61 61 + 62 62 + // contextKey is unexported to prevent collisions 63 63 + type contextKey struct{} 64 64 + 65 65 + // userContextKey is the context key for UserContext 66 66 + var userContextKey = contextKey{} 67 67 + 68 68 + // userSetupCache tracks which users have had their profile/crew setup ensured 69 69 + var userSetupCache sync.Map // did -> time.Time 70 70 + 71 71 + // userSetupTTL is how long to cache user setup status (1 hour) 72 72 + const userSetupTTL = 1 * time.Hour 73 73 + 74 74 + // Dependencies bundles services needed by UserContext 75 75 + type Dependencies struct { 76 76 + Refresher *oauth.Refresher 77 77 + Authorizer HoldAuthorizer 78 78 + DefaultHoldDID string // AppView's default hold DID 79 79 + } 80 80 + 81 81 + // UserContext encapsulates authenticated user state for a request. 82 82 + // Built early in the middleware chain and available throughout request processing. 83 83 + // 84 84 + // Two-phase initialization: 85 85 + // 1. Middleware phase: Identity is set (DID, authMethod, action) 86 86 + // 2. Repository() phase: Target is set via SetTarget() (owner, repo, holdDID) 87 87 + type UserContext struct { 88 88 + // === User Identity (set in middleware) === 89 89 + DID string // User's DID (empty if unauthenticated) 90 90 + Handle string // User's handle (may be empty) 91 91 + PDSEndpoint string // User's PDS endpoint 92 92 + AuthMethod string // "oauth", "app_password", or "" 93 93 + IsAuthenticated bool 94 94 + 95 95 + // === Request Info === 96 96 + Action RequestAction 97 97 + HTTPMethod string 98 98 + 99 99 + // === Target Info (set by SetTarget) === 100 100 + TargetOwnerDID string // whose repo is being accessed 101 101 + TargetOwnerHandle string 102 102 + TargetOwnerPDS string 103 103 + TargetRepo string // image name (e.g., "quickslice") 104 104 + TargetHoldDID string // hold where blobs live/will live 105 105 + 106 106 + // === Dependencies (injected) === 107 107 + refresher *oauth.Refresher 108 108 + authorizer HoldAuthorizer 109 109 + defaultHoldDID string 110 110 + 111 111 + // === Cached State (lazy-loaded) === 112 112 + serviceTokens sync.Map // holdDID -> *serviceTokenEntry 113 113 + permissions sync.Map // holdDID -> *HoldPermissions 114 114 + pdsResolved bool 115 115 + pdsResolveErr error 116 116 + mu sync.Mutex // protects PDS resolution 117 117 + atprotoClient *atproto.Client 118 118 + atprotoClientOnce sync.Once 119 119 + } 120 120 + 121 121 + // FromContext retrieves UserContext from context. 122 122 + // Returns nil if not present (unauthenticated or before middleware). 123 123 + func FromContext(ctx context.Context) *UserContext { 124 124 + uc, _ := ctx.Value(userContextKey).(*UserContext) 125 125 + return uc 126 126 + } 127 127 + 128 128 + // WithUserContext adds UserContext to context 129 129 + func WithUserContext(ctx context.Context, uc *UserContext) context.Context { 130 130 + return context.WithValue(ctx, userContextKey, uc) 131 131 + } 132 132 + 133 133 + // NewUserContext creates a UserContext from extracted JWT claims. 134 134 + // The deps parameter provides access to services needed for lazy operations. 135 135 + func NewUserContext(did, authMethod, httpMethod string, deps *Dependencies) *UserContext { 136 136 + action := ActionUnknown 137 137 + switch httpMethod { 138 138 + case "GET", "HEAD": 139 139 + action = ActionPull 140 140 + case "PUT", "POST", "PATCH", "DELETE": 141 141 + action = ActionPush 142 142 + } 143 143 + 144 144 + var refresher *oauth.Refresher 145 145 + var authorizer HoldAuthorizer 146 146 + var defaultHoldDID string 147 147 + 148 148 + if deps != nil { 149 149 + refresher = deps.Refresher 150 150 + authorizer = deps.Authorizer 151 151 + defaultHoldDID = deps.DefaultHoldDID 152 152 + } 153 153 + 154 154 + return &UserContext{ 155 155 + DID: did, 156 156 + AuthMethod: authMethod, 157 157 + IsAuthenticated: did != "", 158 158 + Action: action, 159 159 + HTTPMethod: httpMethod, 160 160 + refresher: refresher, 161 161 + authorizer: authorizer, 162 162 + defaultHoldDID: defaultHoldDID, 163 163 + } 164 164 + } 165 165 + 166 166 + // SetPDS sets the user's PDS endpoint directly, bypassing network resolution. 167 167 + // Use when PDS is already known (e.g., from previous resolution or client). 168 168 + func (uc *UserContext) SetPDS(handle, pdsEndpoint string) { 169 169 + uc.mu.Lock() 170 170 + defer uc.mu.Unlock() 171 171 + uc.Handle = handle 172 172 + uc.PDSEndpoint = pdsEndpoint 173 173 + uc.pdsResolved = true 174 174 + uc.pdsResolveErr = nil 175 175 + } 176 176 + 177 177 + // SetTarget sets the target repository information. 178 178 + // Called in Repository() after resolving the owner identity. 179 179 + func (uc *UserContext) SetTarget(ownerDID, ownerHandle, ownerPDS, repo, holdDID string) { 180 180 + uc.TargetOwnerDID = ownerDID 181 181 + uc.TargetOwnerHandle = ownerHandle 182 182 + uc.TargetOwnerPDS = ownerPDS 183 183 + uc.TargetRepo = repo 184 184 + uc.TargetHoldDID = holdDID 185 185 + } 186 186 + 187 187 + // ResolvePDS resolves the user's PDS endpoint (lazy, cached). 188 188 + // Safe to call multiple times; resolution happens once. 189 189 + func (uc *UserContext) ResolvePDS(ctx context.Context) error { 190 190 + if !uc.IsAuthenticated { 191 191 + return nil // Nothing to resolve for anonymous users 192 192 + } 193 193 + 194 194 + uc.mu.Lock() 195 195 + defer uc.mu.Unlock() 196 196 + 197 197 + if uc.pdsResolved { 198 198 + return uc.pdsResolveErr 199 199 + } 200 200 + 201 201 + _, handle, pds, err := atproto.ResolveIdentity(ctx, uc.DID) 202 202 + if err != nil { 203 203 + uc.pdsResolveErr = err 204 204 + uc.pdsResolved = true 205 205 + return err 206 206 + } 207 207 + 208 208 + uc.Handle = handle 209 209 + uc.PDSEndpoint = pds 210 210 + uc.pdsResolved = true 211 211 + return nil 212 212 + } 213 213 + 214 214 + // GetServiceToken returns a service token for the target hold. 215 215 + // Uses internal caching with sync.Once per holdDID. 216 216 + // Requires target to be set via SetTarget(). 217 217 + func (uc *UserContext) GetServiceToken(ctx context.Context) (string, error) { 218 218 + if uc.TargetHoldDID == "" { 219 219 + return "", fmt.Errorf("target hold not set (call SetTarget first)") 220 220 + } 221 221 + return uc.GetServiceTokenForHold(ctx, uc.TargetHoldDID) 222 222 + } 223 223 + 224 224 + // GetServiceTokenForHold returns a service token for an arbitrary hold. 225 225 + // Uses internal caching with sync.Once per holdDID. 226 226 + func (uc *UserContext) GetServiceTokenForHold(ctx context.Context, holdDID string) (string, error) { 227 227 + if !uc.IsAuthenticated { 228 228 + return "", fmt.Errorf("cannot get service token: user not authenticated") 229 229 + } 230 230 + 231 231 + // Ensure PDS is resolved 232 232 + if err := uc.ResolvePDS(ctx); err != nil { 233 233 + return "", fmt.Errorf("failed to resolve PDS: %w", err) 234 234 + } 235 235 + 236 236 + // Load or create cache entry 237 237 + entryVal, _ := uc.serviceTokens.LoadOrStore(holdDID, &serviceTokenEntry{}) 238 238 + entry := entryVal.(*serviceTokenEntry) 239 239 + 240 240 + entry.once.Do(func() { 241 241 + slog.Debug("Fetching service token", 242 242 + "component", "auth/context", 243 243 + "userDID", uc.DID, 244 244 + "holdDID", holdDID, 245 245 + "authMethod", uc.AuthMethod) 246 246 + 247 247 + // Use unified service token function (handles both OAuth and app-password) 248 248 + serviceToken, err := GetOrFetchServiceToken( 249 249 + ctx, uc.AuthMethod, uc.refresher, uc.DID, holdDID, uc.PDSEndpoint, 250 250 + ) 251 251 + 252 252 + entry.token = serviceToken 253 253 + entry.err = err 254 254 + if err == nil { 255 255 + // Parse JWT to get expiry 256 256 + expiry, parseErr := ParseJWTExpiry(serviceToken) 257 257 + if parseErr == nil { 258 258 + entry.expiresAt = expiry.Add(-10 * time.Second) // Safety margin 259 259 + } else { 260 260 + entry.expiresAt = time.Now().Add(45 * time.Second) // Default fallback 261 261 + } 262 262 + } 263 263 + }) 264 264 + 265 265 + return entry.token, entry.err 266 266 + } 267 267 + 268 268 + // CanRead checks if user can read blobs from target hold. 269 269 + // - Public hold: any user (even anonymous) 270 270 + // - Private hold: owner OR crew with blob:read/blob:write 271 271 + func (uc *UserContext) CanRead(ctx context.Context) (bool, error) { 272 272 + if uc.TargetHoldDID == "" { 273 273 + return false, fmt.Errorf("target hold not set (call SetTarget first)") 274 274 + } 275 275 + 276 276 + if uc.authorizer == nil { 277 277 + return false, fmt.Errorf("authorizer not configured") 278 278 + } 279 279 + 280 280 + return uc.authorizer.CheckReadAccess(ctx, uc.TargetHoldDID, uc.DID) 281 281 + } 282 282 + 283 283 + // CanWrite checks if user can write blobs to target hold. 284 284 + // - Must be authenticated 285 285 + // - Must be owner OR crew with blob:write 286 286 + func (uc *UserContext) CanWrite(ctx context.Context) (bool, error) { 287 287 + if uc.TargetHoldDID == "" { 288 288 + return false, fmt.Errorf("target hold not set (call SetTarget first)") 289 289 + } 290 290 + 291 291 + if !uc.IsAuthenticated { 292 292 + return false, nil // Anonymous writes never allowed 293 293 + } 294 294 + 295 295 + if uc.authorizer == nil { 296 296 + return false, fmt.Errorf("authorizer not configured") 297 297 + } 298 298 + 299 299 + return uc.authorizer.CheckWriteAccess(ctx, uc.TargetHoldDID, uc.DID) 300 300 + } 301 301 + 302 302 + // GetPermissions returns detailed permissions for target hold. 303 303 + // Lazy-loaded and cached per holdDID. 304 304 + func (uc *UserContext) GetPermissions(ctx context.Context) (*HoldPermissions, error) { 305 305 + if uc.TargetHoldDID == "" { 306 306 + return nil, fmt.Errorf("target hold not set (call SetTarget first)") 307 307 + } 308 308 + return uc.GetPermissionsForHold(ctx, uc.TargetHoldDID) 309 309 + } 310 310 + 311 311 + // GetPermissionsForHold returns detailed permissions for an arbitrary hold. 312 312 + // Lazy-loaded and cached per holdDID. 313 313 + func (uc *UserContext) GetPermissionsForHold(ctx context.Context, holdDID string) (*HoldPermissions, error) { 314 314 + // Check cache first 315 315 + if cached, ok := uc.permissions.Load(holdDID); ok { 316 316 + return cached.(*HoldPermissions), nil 317 317 + } 318 318 + 319 319 + if uc.authorizer == nil { 320 320 + return nil, fmt.Errorf("authorizer not configured") 321 321 + } 322 322 + 323 323 + // Build permissions by querying authorizer 324 324 + captain, err := uc.authorizer.GetCaptainRecord(ctx, holdDID) 325 325 + if err != nil { 326 326 + return nil, fmt.Errorf("failed to get captain record: %w", err) 327 327 + } 328 328 + 329 329 + perms := &HoldPermissions{ 330 330 + HoldDID: holdDID, 331 331 + IsPublic: captain.Public, 332 332 + IsOwner: uc.DID != "" && uc.DID == captain.Owner, 333 333 + } 334 334 + 335 335 + // Check crew membership if authenticated and not owner 336 336 + if uc.IsAuthenticated && !perms.IsOwner { 337 337 + isCrew, crewErr := uc.authorizer.IsCrewMember(ctx, holdDID, uc.DID) 338 338 + if crewErr != nil { 339 339 + slog.Warn("Failed to check crew membership", 340 340 + "component", "auth/context", 341 341 + "holdDID", holdDID, 342 342 + "userDID", uc.DID, 343 343 + "error", crewErr) 344 344 + } 345 345 + perms.IsCrew = isCrew 346 346 + } 347 347 + 348 348 + // Compute permissions based on role 349 349 + if perms.IsOwner { 350 350 + perms.CanRead = true 351 351 + perms.CanWrite = true 352 352 + perms.CanAdmin = true 353 353 + } else if perms.IsCrew { 354 354 + // Crew members can read and write (for now, all crew have blob:write) 355 355 + // TODO: Check specific permissions from crew record 356 356 + perms.CanRead = true 357 357 + perms.CanWrite = true 358 358 + perms.CanAdmin = false 359 359 + } else if perms.IsPublic { 360 360 + // Public hold - anyone can read 361 361 + perms.CanRead = true 362 362 + perms.CanWrite = false 363 363 + perms.CanAdmin = false 364 364 + } else if uc.IsAuthenticated { 365 365 + // Private hold, authenticated non-crew 366 366 + // Per permission matrix: cannot read private holds 367 367 + perms.CanRead = false 368 368 + perms.CanWrite = false 369 369 + perms.CanAdmin = false 370 370 + } else { 371 371 + // Anonymous on private hold 372 372 + perms.CanRead = false 373 373 + perms.CanWrite = false 374 374 + perms.CanAdmin = false 375 375 + } 376 376 + 377 377 + // Cache and return 378 378 + uc.permissions.Store(holdDID, perms) 379 379 + return perms, nil 380 380 + } 381 381 + 382 382 + // IsCrewMember checks if user is crew of target hold. 383 383 + func (uc *UserContext) IsCrewMember(ctx context.Context) (bool, error) { 384 384 + if uc.TargetHoldDID == "" { 385 385 + return false, fmt.Errorf("target hold not set (call SetTarget first)") 386 386 + } 387 387 + 388 388 + if !uc.IsAuthenticated { 389 389 + return false, nil 390 390 + } 391 391 + 392 392 + if uc.authorizer == nil { 393 393 + return false, fmt.Errorf("authorizer not configured") 394 394 + } 395 395 + 396 396 + return uc.authorizer.IsCrewMember(ctx, uc.TargetHoldDID, uc.DID) 397 397 + } 398 398 + 399 399 + // EnsureCrewMembership is a standalone function to register as crew on a hold. 400 400 + // Use this when you don't have a UserContext (e.g., OAuth callback). 401 401 + // This is best-effort and logs errors without failing. 402 402 + func EnsureCrewMembership(ctx context.Context, did, pdsEndpoint string, refresher *oauth.Refresher, holdDID string) { 403 403 + if holdDID == "" { 404 404 + return 405 405 + } 406 406 + 407 407 + // Only works with OAuth (refresher required) - app passwords can't get service tokens 408 408 + if refresher == nil { 409 409 + slog.Debug("skipping crew registration - no OAuth refresher (app password flow)", "holdDID", holdDID) 410 410 + return 411 411 + } 412 412 + 413 413 + // Normalize URL to DID if needed 414 414 + if !atproto.IsDID(holdDID) { 415 415 + holdDID = atproto.ResolveHoldDIDFromURL(holdDID) 416 416 + if holdDID == "" { 417 417 + slog.Warn("failed to resolve hold DID", "defaultHold", holdDID) 418 418 + return 419 419 + } 420 420 + } 421 421 + 422 422 + // Get service token for the hold (OAuth only at this point) 423 423 + serviceToken, err := GetOrFetchServiceToken(ctx, AuthMethodOAuth, refresher, did, holdDID, pdsEndpoint) 424 424 + if err != nil { 425 425 + slog.Warn("failed to get service token", "holdDID", holdDID, "error", err) 426 426 + return 427 427 + } 428 428 + 429 429 + // Resolve hold DID to HTTP endpoint 430 430 + holdEndpoint := atproto.ResolveHoldURL(holdDID) 431 431 + if holdEndpoint == "" { 432 432 + slog.Warn("failed to resolve hold endpoint", "holdDID", holdDID) 433 433 + return 434 434 + } 435 435 + 436 436 + // Call requestCrew endpoint 437 437 + if err := requestCrewMembership(ctx, holdEndpoint, serviceToken); err != nil { 438 438 + slog.Warn("failed to request crew membership", "holdDID", holdDID, "error", err) 439 439 + return 440 440 + } 441 441 + 442 442 + slog.Info("successfully registered as crew member", "holdDID", holdDID, "userDID", did) 443 443 + } 444 444 + 445 445 + // ensureCrewMembership attempts to register as crew on target hold (UserContext method). 446 446 + // Called automatically during first push; idempotent. 447 447 + // This is a best-effort operation and logs errors without failing. 448 448 + // Requires SetTarget() to be called first. 449 449 + func (uc *UserContext) ensureCrewMembership(ctx context.Context) error { 450 450 + if uc.TargetHoldDID == "" { 451 451 + return fmt.Errorf("target hold not set (call SetTarget first)") 452 452 + } 453 453 + return uc.EnsureCrewMembershipForHold(ctx, uc.TargetHoldDID) 454 454 + } 455 455 + 456 456 + // EnsureCrewMembershipForHold attempts to register as crew on the specified hold. 457 457 + // This is the core implementation that can be called with any holdDID. 458 458 + // Called automatically during first push; idempotent. 459 459 + // This is a best-effort operation and logs errors without failing. 460 460 + func (uc *UserContext) EnsureCrewMembershipForHold(ctx context.Context, holdDID string) error { 461 461 + if holdDID == "" { 462 462 + return nil // Nothing to do 463 463 + } 464 464 + 465 465 + // Normalize URL to DID if needed 466 466 + if !atproto.IsDID(holdDID) { 467 467 + holdDID = atproto.ResolveHoldDIDFromURL(holdDID) 468 468 + if holdDID == "" { 469 469 + return fmt.Errorf("failed to resolve hold DID from URL") 470 470 + } 471 471 + } 472 472 + 473 473 + if !uc.IsAuthenticated { 474 474 + return fmt.Errorf("cannot register as crew: user not authenticated") 475 475 + } 476 476 + 477 477 + if uc.refresher == nil { 478 478 + return fmt.Errorf("cannot register as crew: OAuth session required") 479 479 + } 480 480 + 481 481 + // Get service token for the hold 482 482 + serviceToken, err := uc.GetServiceTokenForHold(ctx, holdDID) 483 483 + if err != nil { 484 484 + return fmt.Errorf("failed to get service token: %w", err) 485 485 + } 486 486 + 487 487 + // Resolve hold DID to HTTP endpoint 488 488 + holdEndpoint := atproto.ResolveHoldURL(holdDID) 489 489 + if holdEndpoint == "" { 490 490 + return fmt.Errorf("failed to resolve hold endpoint for %s", holdDID) 491 491 + } 492 492 + 493 493 + // Call requestCrew endpoint 494 494 + return requestCrewMembership(ctx, holdEndpoint, serviceToken) 495 495 + } 496 496 + 497 497 + // requestCrewMembership calls the hold's requestCrew endpoint 498 498 + // The endpoint handles all authorization and duplicate checking internally 499 499 + func requestCrewMembership(ctx context.Context, holdEndpoint, serviceToken string) error { 500 500 + // Add 5 second timeout to prevent hanging on offline holds 501 501 + ctx, cancel := context.WithTimeout(ctx, 5*time.Second) 502 502 + defer cancel() 503 503 + 504 504 + url := fmt.Sprintf("%s%s", holdEndpoint, atproto.HoldRequestCrew) 505 505 + 506 506 + req, err := http.NewRequestWithContext(ctx, "POST", url, nil) 507 507 + if err != nil { 508 508 + return err 509 509 + } 510 510 + 511 511 + req.Header.Set("Authorization", "Bearer "+serviceToken) 512 512 + req.Header.Set("Content-Type", "application/json") 513 513 + 514 514 + resp, err := http.DefaultClient.Do(req) 515 515 + if err != nil { 516 516 + return err 517 517 + } 518 518 + defer resp.Body.Close() 519 519 + 520 520 + if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated { 521 521 + // Read response body to capture actual error message from hold 522 522 + body, readErr := io.ReadAll(resp.Body) 523 523 + if readErr != nil { 524 524 + return fmt.Errorf("requestCrew failed with status %d (failed to read error body: %w)", resp.StatusCode, readErr) 525 525 + } 526 526 + return fmt.Errorf("requestCrew failed with status %d: %s", resp.StatusCode, string(body)) 527 527 + } 528 528 + 529 529 + return nil 530 530 + } 531 531 + 532 532 + // GetUserClient returns an authenticated ATProto client for the user's own PDS. 533 533 + // Used for profile operations (reading/writing to user's own repo). 534 534 + // Returns nil if not authenticated or PDS not resolved. 535 535 + func (uc *UserContext) GetUserClient() *atproto.Client { 536 536 + if !uc.IsAuthenticated || uc.PDSEndpoint == "" { 537 537 + return nil 538 538 + } 539 539 + 540 540 + if uc.AuthMethod == AuthMethodOAuth && uc.refresher != nil { 541 541 + return atproto.NewClientWithSessionProvider(uc.PDSEndpoint, uc.DID, uc.refresher) 542 542 + } else if uc.AuthMethod == AuthMethodAppPassword { 543 543 + accessToken, _ := GetGlobalTokenCache().Get(uc.DID) 544 544 + return atproto.NewClient(uc.PDSEndpoint, uc.DID, accessToken) 545 545 + } 546 546 + 547 547 + return nil 548 548 + } 549 549 + 550 550 + // EnsureUserSetup ensures the user has a profile and crew membership. 551 551 + // Called once per user (cached for userSetupTTL). Runs in background - does not block. 552 552 + // Safe to call on every request. 553 553 + func (uc *UserContext) EnsureUserSetup() { 554 554 + if !uc.IsAuthenticated || uc.DID == "" { 555 555 + return 556 556 + } 557 557 + 558 558 + // Check cache - skip if recently set up 559 559 + if lastSetup, ok := userSetupCache.Load(uc.DID); ok { 560 560 + if time.Since(lastSetup.(time.Time)) < userSetupTTL { 561 561 + return 562 562 + } 563 563 + } 564 564 + 565 565 + // Run in background to avoid blocking requests 566 566 + go func() { 567 567 + bgCtx := context.Background() 568 568 + 569 569 + // 1. Ensure profile exists 570 570 + if client := uc.GetUserClient(); client != nil { 571 571 + uc.ensureProfile(bgCtx, client) 572 572 + } 573 573 + 574 574 + // 2. Ensure crew membership on default hold 575 575 + if uc.defaultHoldDID != "" { 576 576 + EnsureCrewMembership(bgCtx, uc.DID, uc.PDSEndpoint, uc.refresher, uc.defaultHoldDID) 577 577 + } 578 578 + 579 579 + // Mark as set up 580 580 + userSetupCache.Store(uc.DID, time.Now()) 581 581 + slog.Debug("User setup complete", 582 582 + "component", "auth/usercontext", 583 583 + "did", uc.DID, 584 584 + "defaultHoldDID", uc.defaultHoldDID) 585 585 + }() 586 586 + } 587 587 + 588 588 + // ensureProfile creates sailor profile if it doesn't exist. 589 589 + // Inline implementation to avoid circular import with storage package. 590 590 + func (uc *UserContext) ensureProfile(ctx context.Context, client *atproto.Client) { 591 591 + // Check if profile already exists 592 592 + profile, err := client.GetRecord(ctx, atproto.SailorProfileCollection, "self") 593 593 + if err == nil && profile != nil { 594 594 + return // Already exists 595 595 + } 596 596 + 597 597 + // Create profile with default hold 598 598 + normalizedDID := "" 599 599 + if uc.defaultHoldDID != "" { 600 600 + normalizedDID = atproto.ResolveHoldDIDFromURL(uc.defaultHoldDID) 601 601 + } 602 602 + 603 603 + newProfile := atproto.NewSailorProfileRecord(normalizedDID) 604 604 + if _, err := client.PutRecord(ctx, atproto.SailorProfileCollection, "self", newProfile); err != nil { 605 605 + slog.Warn("Failed to create sailor profile", 606 606 + "component", "auth/usercontext", 607 607 + "did", uc.DID, 608 608 + "error", err) 609 609 + return 610 610 + } 611 611 + 612 612 + slog.Debug("Created sailor profile", 613 613 + "component", "auth/usercontext", 614 614 + "did", uc.DID, 615 615 + "defaultHold", normalizedDID) 616 616 + } 617 617 + 618 618 + // GetATProtoClient returns a cached ATProto client for the target owner's PDS. 619 619 + // Authenticated if user is owner, otherwise anonymous. 620 620 + // Cached per-request (uses sync.Once). 621 621 + func (uc *UserContext) GetATProtoClient() *atproto.Client { 622 622 + uc.atprotoClientOnce.Do(func() { 623 623 + if uc.TargetOwnerPDS == "" { 624 624 + return 625 625 + } 626 626 + 627 627 + // If puller is owner and authenticated, use authenticated client 628 628 + if uc.DID == uc.TargetOwnerDID && uc.IsAuthenticated { 629 629 + if uc.AuthMethod == AuthMethodOAuth && uc.refresher != nil { 630 630 + uc.atprotoClient = atproto.NewClientWithSessionProvider(uc.TargetOwnerPDS, uc.TargetOwnerDID, uc.refresher) 631 631 + return 632 632 + } else if uc.AuthMethod == AuthMethodAppPassword { 633 633 + accessToken, _ := GetGlobalTokenCache().Get(uc.TargetOwnerDID) 634 634 + uc.atprotoClient = atproto.NewClient(uc.TargetOwnerPDS, uc.TargetOwnerDID, accessToken) 635 635 + return 636 636 + } 637 637 + } 638 638 + 639 639 + // Anonymous client for reads 640 640 + uc.atprotoClient = atproto.NewClient(uc.TargetOwnerPDS, uc.TargetOwnerDID, "") 641 641 + }) 642 642 + return uc.atprotoClient 643 643 + } 644 644 + 645 645 + // ResolveHoldDID finds the hold for the target repository. 646 646 + // - Pull: uses database lookup (historical from manifest) 647 647 + // - Push: uses discovery (sailor profile → default) 648 648 + // 649 649 + // Must be called after SetTarget() is called with at least TargetOwnerDID and TargetRepo set. 650 650 + // Updates TargetHoldDID on success. 651 651 + func (uc *UserContext) ResolveHoldDID(ctx context.Context, sqlDB *sql.DB) (string, error) { 652 652 + if uc.TargetOwnerDID == "" { 653 653 + return "", fmt.Errorf("target owner not set") 654 654 + } 655 655 + 656 656 + var holdDID string 657 657 + var err error 658 658 + 659 659 + switch uc.Action { 660 660 + case ActionPull: 661 661 + // For pulls, look up historical hold from database 662 662 + holdDID, err = uc.resolveHoldForPull(ctx, sqlDB) 663 663 + case ActionPush: 664 664 + // For pushes, discover hold from owner's profile 665 665 + holdDID, err = uc.resolveHoldForPush(ctx) 666 666 + default: 667 667 + // Default to push discovery 668 668 + holdDID, err = uc.resolveHoldForPush(ctx) 669 669 + } 670 670 + 671 671 + if err != nil { 672 672 + return "", err 673 673 + } 674 674 + 675 675 + if holdDID == "" { 676 676 + return "", fmt.Errorf("no hold DID found for %s/%s", uc.TargetOwnerDID, uc.TargetRepo) 677 677 + } 678 678 + 679 679 + uc.TargetHoldDID = holdDID 680 680 + return holdDID, nil 681 681 + } 682 682 + 683 683 + // resolveHoldForPull looks up the hold from the database (historical reference) 684 684 + func (uc *UserContext) resolveHoldForPull(ctx context.Context, sqlDB *sql.DB) (string, error) { 685 685 + // If no database is available, fall back to discovery 686 686 + if sqlDB == nil { 687 687 + return uc.resolveHoldForPush(ctx) 688 688 + } 689 689 + 690 690 + // Try database lookup first 691 691 + holdDID, err := db.GetLatestHoldDIDForRepo(sqlDB, uc.TargetOwnerDID, uc.TargetRepo) 692 692 + if err != nil { 693 693 + slog.Debug("Database lookup failed, falling back to discovery", 694 694 + "component", "auth/context", 695 695 + "ownerDID", uc.TargetOwnerDID, 696 696 + "repo", uc.TargetRepo, 697 697 + "error", err) 698 698 + return uc.resolveHoldForPush(ctx) 699 699 + } 700 700 + 701 701 + if holdDID != "" { 702 702 + return holdDID, nil 703 703 + } 704 704 + 705 705 + // No historical hold found, fall back to discovery 706 706 + return uc.resolveHoldForPush(ctx) 707 707 + } 708 708 + 709 709 + // resolveHoldForPush discovers hold from owner's sailor profile or default 710 710 + func (uc *UserContext) resolveHoldForPush(ctx context.Context) (string, error) { 711 711 + // Create anonymous client to query owner's profile 712 712 + client := atproto.NewClient(uc.TargetOwnerPDS, uc.TargetOwnerDID, "") 713 713 + 714 714 + // Try to get owner's sailor profile 715 715 + record, err := client.GetRecord(ctx, atproto.SailorProfileCollection, "self") 716 716 + if err == nil && record != nil { 717 717 + var profile atproto.SailorProfileRecord 718 718 + if jsonErr := json.Unmarshal(record.Value, &profile); jsonErr == nil { 719 719 + if profile.DefaultHold != "" { 720 720 + // Normalize to DID if needed 721 721 + holdDID := profile.DefaultHold 722 722 + if !atproto.IsDID(holdDID) { 723 723 + holdDID = atproto.ResolveHoldDIDFromURL(holdDID) 724 724 + } 725 725 + slog.Debug("Found hold from owner's profile", 726 726 + "component", "auth/context", 727 727 + "ownerDID", uc.TargetOwnerDID, 728 728 + "holdDID", holdDID) 729 729 + return holdDID, nil 730 730 + } 731 731 + } 732 732 + } 733 733 + 734 734 + // Fall back to default hold 735 735 + if uc.defaultHoldDID != "" { 736 736 + slog.Debug("Using default hold", 737 737 + "component", "auth/context", 738 738 + "ownerDID", uc.TargetOwnerDID, 739 739 + "defaultHoldDID", uc.defaultHoldDID) 740 740 + return uc.defaultHoldDID, nil 741 741 + } 742 742 + 743 743 + return "", fmt.Errorf("no hold configured for %s and no default hold set", uc.TargetOwnerDID) 744 744 + } 745 745 + 746 746 + // ============================================================================= 747 747 + // Test Helper Methods 748 748 + // ============================================================================= 749 749 + // These methods are designed to make UserContext testable by allowing tests 750 750 + // to bypass network-dependent code paths (PDS resolution, OAuth token fetching). 751 751 + // Only use these in tests - they are not intended for production use. 752 752 + 753 753 + // SetPDSForTest sets the PDS endpoint directly, bypassing ResolvePDS network calls. 754 754 + // This allows tests to skip DID resolution which would make network requests. 755 755 + // Deprecated: Use SetPDS instead. 756 756 + func (uc *UserContext) SetPDSForTest(handle, pdsEndpoint string) { 757 757 + uc.SetPDS(handle, pdsEndpoint) 758 758 + } 759 759 + 760 760 + // SetServiceTokenForTest pre-populates a service token for the given holdDID, 761 761 + // bypassing the sync.Once and OAuth/app-password fetching logic. 762 762 + // The token will appear as if it was already fetched and cached. 763 763 + func (uc *UserContext) SetServiceTokenForTest(holdDID, token string) { 764 764 + entry := &serviceTokenEntry{ 765 765 + token: token, 766 766 + expiresAt: time.Now().Add(5 * time.Minute), 767 767 + err: nil, 768 768 + } 769 769 + // Mark the sync.Once as done so real fetch won't happen 770 770 + entry.once.Do(func() {}) 771 771 + uc.serviceTokens.Store(holdDID, entry) 772 772 + } 773 773 + 774 774 + // SetAuthorizerForTest sets the authorizer for permission checks. 775 775 + // Use with MockHoldAuthorizer to control CanRead/CanWrite behavior in tests. 776 776 + func (uc *UserContext) SetAuthorizerForTest(authorizer HoldAuthorizer) { 777 777 + uc.authorizer = authorizer 778 778 + } 779 779 + 780 780 + // SetDefaultHoldDIDForTest sets the default hold DID for tests. 781 781 + // This is used as fallback when resolving hold for push operations. 782 782 + func (uc *UserContext) SetDefaultHoldDIDForTest(holdDID string) { 783 783 + uc.defaultHoldDID = holdDID 784 784 + }

+70 -27

pkg/hold/pds/auth.go

··· 4 4 "context" 5 5 "encoding/base64" 6 6 "encoding/json" 7 7 + "errors" 7 8 "fmt" 8 9 "io" 9 10 "log/slog" ··· 18 19 "github.com/golang-jwt/jwt/v5" 19 20 ) 20 21 22 22 + // Authentication errors 23 23 + var ( 24 24 + ErrMissingAuthHeader = errors.New("missing Authorization header") 25 25 + ErrInvalidAuthFormat = errors.New("invalid Authorization header format") 26 26 + ErrInvalidAuthScheme = errors.New("invalid authorization scheme: expected 'Bearer' or 'DPoP'") 27 27 + ErrMissingToken = errors.New("missing token") 28 28 + ErrMissingDPoPHeader = errors.New("missing DPoP header") 29 29 + ) 30 30 + 31 31 + // JWT validation errors 32 32 + var ( 33 33 + ErrInvalidJWTFormat = errors.New("invalid JWT format: expected header.payload.signature") 34 34 + ErrMissingISSClaim = errors.New("missing 'iss' claim in token") 35 35 + ErrMissingSubClaim = errors.New("missing 'sub' claim in token") 36 36 + ErrTokenExpired = errors.New("token has expired") 37 37 + ) 38 38 + 39 39 + // AuthError provides structured authorization error information 40 40 + type AuthError struct { 41 41 + Action string // The action being attempted: "blob:read", "blob:write", "crew:admin" 42 42 + Reason string // Why access was denied 43 43 + Required []string // What permission(s) would grant access 44 44 + } 45 45 + 46 46 + func (e *AuthError) Error() string { 47 47 + return fmt.Sprintf("access denied for %s: %s (required: %s)", 48 48 + e.Action, e.Reason, strings.Join(e.Required, " or ")) 49 49 + } 50 50 + 51 51 + // NewAuthError creates a new AuthError 52 52 + func NewAuthError(action, reason string, required ...string) *AuthError { 53 53 + return &AuthError{ 54 54 + Action: action, 55 55 + Reason: reason, 56 56 + Required: required, 57 57 + } 58 58 + } 59 59 + 21 60 // HTTPClient interface allows injecting a custom HTTP client for testing 22 61 type HTTPClient interface { 23 62 Do(*http.Request) (*http.Response, error) ··· 44 83 // Extract Authorization header 45 84 authHeader := r.Header.Get("Authorization") 46 85 if authHeader == "" { 47 47 - return nil, fmt.Errorf("missing Authorization header") 86 86 + return nil, ErrMissingAuthHeader 48 87 } 49 88 50 89 // Check for DPoP authorization scheme 51 90 parts := strings.SplitN(authHeader, " ", 2) 52 91 if len(parts) != 2 { 53 53 - return nil, fmt.Errorf("invalid Authorization header format") 92 92 + return nil, ErrInvalidAuthFormat 54 93 } 55 94 56 95 if parts[0] != "DPoP" { ··· 59 98 60 99 accessToken := parts[1] 61 100 if accessToken == "" { 62 62 - return nil, fmt.Errorf("missing access token") 101 101 + return nil, ErrMissingToken 63 102 } 64 103 65 104 // Extract DPoP header 66 105 dpopProof := r.Header.Get("DPoP") 67 106 if dpopProof == "" { 68 68 - return nil, fmt.Errorf("missing DPoP header") 107 107 + return nil, ErrMissingDPoPHeader 69 108 } 70 109 71 110 // TODO: We could verify the DPoP proof locally (signature, HTM, HTU, etc.) ··· 109 148 // JWT format: header.payload.signature 110 149 parts := strings.Split(token, ".") 111 150 if len(parts) != 3 { 112 112 - return "", "", fmt.Errorf("invalid JWT format") 151 151 + return "", "", ErrInvalidJWTFormat 113 152 } 114 153 115 154 // Decode payload (base64url) ··· 129 168 } 130 169 131 170 if claims.Sub == "" { 132 132 - return "", "", fmt.Errorf("missing sub claim (DID)") 171 171 + return "", "", ErrMissingSubClaim 133 172 } 134 173 135 174 if claims.Iss == "" { 136 136 - return "", "", fmt.Errorf("missing iss claim (PDS)") 175 175 + return "", "", ErrMissingISSClaim 137 176 } 138 177 139 178 return claims.Sub, claims.Iss, nil ··· 216 255 return nil, fmt.Errorf("DPoP authentication failed: %w", err) 217 256 } 218 257 } else { 219 219 - return nil, fmt.Errorf("missing or invalid Authorization header (expected Bearer or DPoP)") 258 258 + return nil, ErrInvalidAuthScheme 220 259 } 221 260 222 261 // Get captain record to check owner ··· 243 282 return user, nil 244 283 } 245 284 // User is crew but doesn't have admin permission 246 246 - return nil, fmt.Errorf("crew member lacks required 'crew:admin' permission") 285 285 + return nil, NewAuthError("crew:admin", "crew member lacks permission", "crew:admin") 247 286 } 248 287 } 249 288 250 289 // User is neither owner nor authorized crew 251 251 - return nil, fmt.Errorf("user is not authorized (must be hold owner or crew admin)") 290 290 + return nil, NewAuthError("crew:admin", "user is not a crew member", "crew:admin") 252 291 } 253 292 254 293 // ValidateBlobWriteAccess validates that the request has valid authentication ··· 276 315 return nil, fmt.Errorf("DPoP authentication failed: %w", err) 277 316 } 278 317 } else { 279 279 - return nil, fmt.Errorf("missing or invalid Authorization header (expected Bearer or DPoP)") 318 318 + return nil, ErrInvalidAuthScheme 280 319 } 281 320 282 321 // Get captain record to check owner and public settings ··· 303 342 return user, nil 304 343 } 305 344 // User is crew but doesn't have write permission 306 306 - return nil, fmt.Errorf("crew member lacks required 'blob:write' permission") 345 345 + return nil, NewAuthError("blob:write", "crew member lacks permission", "blob:write") 307 346 } 308 347 } 309 348 310 349 // User is neither owner nor authorized crew 311 311 - return nil, fmt.Errorf("user is not authorized for blob write (must be hold owner or crew with blob:write permission)") 350 350 + return nil, NewAuthError("blob:write", "user is not a crew member", "blob:write") 312 351 } 313 352 314 353 // ValidateBlobReadAccess validates that the request has read access to blobs 315 354 // If captain.public = true: No auth required (returns nil user to indicate public access) 316 316 - // If captain.public = false: Requires valid DPoP + OAuth and (captain OR crew with blob:read permission). 355 355 + // If captain.public = false: Requires valid DPoP + OAuth and (captain OR crew with blob:read or blob:write permission). 356 356 + // Note: blob:write implicitly grants blob:read access. 317 357 // The httpClient parameter is optional and defaults to http.DefaultClient if nil. 318 358 func ValidateBlobReadAccess(r *http.Request, pds *HoldPDS, httpClient HTTPClient) (*ValidatedUser, error) { 319 359 // Get captain record to check public setting ··· 344 384 return nil, fmt.Errorf("DPoP authentication failed: %w", err) 345 385 } 346 386 } else { 347 347 - return nil, fmt.Errorf("missing or invalid Authorization header (expected Bearer or DPoP)") 387 387 + return nil, ErrInvalidAuthScheme 348 388 } 349 389 350 390 // Check if user is the owner (always has read access) ··· 352 392 return user, nil 353 393 } 354 394 355 355 - // Check if user is crew with blob:read permission 395 395 + // Check if user is crew with blob:read or blob:write permission 396 396 + // Note: blob:write implicitly grants blob:read access 356 397 crew, err := pds.ListCrewMembers(r.Context()) 357 398 if err != nil { 358 399 return nil, fmt.Errorf("failed to check crew membership: %w", err) ··· 360 401 361 402 for _, member := range crew { 362 403 if member.Record.Member == user.DID { 363 363 - // Check if this crew member has blob:read permission 364 364 - if slices.Contains(member.Record.Permissions, "blob:read") { 404 404 + // Check if this crew member has blob:read or blob:write permission 405 405 + // blob:write implicitly grants read access (can't push without pulling) 406 406 + if slices.Contains(member.Record.Permissions, "blob:read") || 407 407 + slices.Contains(member.Record.Permissions, "blob:write") { 365 408 return user, nil 366 409 } 367 367 - // User is crew but doesn't have read permission 368 368 - return nil, fmt.Errorf("crew member lacks required 'blob:read' permission") 410 410 + // User is crew but doesn't have read or write permission 411 411 + return nil, NewAuthError("blob:read", "crew member lacks permission", "blob:read", "blob:write") 369 412 } 370 413 } 371 414 372 415 // User is neither owner nor authorized crew 373 373 - return nil, fmt.Errorf("user is not authorized for blob read (must be hold owner or crew with blob:read permission)") 416 416 + return nil, NewAuthError("blob:read", "user is not a crew member", "blob:read", "blob:write") 374 417 } 375 418 376 419 // ServiceTokenClaims represents the claims in a service token JWT ··· 385 428 // Extract Authorization header 386 429 authHeader := r.Header.Get("Authorization") 387 430 if authHeader == "" { 388 388 - return nil, fmt.Errorf("missing Authorization header") 431 431 + return nil, ErrMissingAuthHeader 389 432 } 390 433 391 434 // Check for Bearer authorization scheme 392 435 parts := strings.SplitN(authHeader, " ", 2) 393 436 if len(parts) != 2 { 394 394 - return nil, fmt.Errorf("invalid Authorization header format") 437 437 + return nil, ErrInvalidAuthFormat 395 438 } 396 439 397 440 if parts[0] != "Bearer" { ··· 400 443 401 444 tokenString := parts[1] 402 445 if tokenString == "" { 403 403 - return nil, fmt.Errorf("missing token") 446 446 + return nil, ErrMissingToken 404 447 } 405 448 406 449 slog.Debug("Validating service token", "holdDID", holdDID) ··· 409 452 // Split token: header.payload.signature 410 453 tokenParts := strings.Split(tokenString, ".") 411 454 if len(tokenParts) != 3 { 412 412 - return nil, fmt.Errorf("invalid JWT format") 455 455 + return nil, ErrInvalidJWTFormat 413 456 } 414 457 415 458 // Decode payload (second part) to extract claims ··· 427 470 // Get issuer (user DID) 428 471 issuerDID := claims.Issuer 429 472 if issuerDID == "" { 430 430 - return nil, fmt.Errorf("missing iss claim") 473 473 + return nil, ErrMissingISSClaim 431 474 } 432 475 433 476 // Verify audience matches this hold service ··· 445 488 return nil, fmt.Errorf("failed to get expiration: %w", err) 446 489 } 447 490 if exp != nil && time.Now().After(exp.Time) { 448 448 - return nil, fmt.Errorf("token has expired") 491 491 + return nil, ErrTokenExpired 449 492 } 450 493 451 494 // Verify JWT signature using ATProto's secp256k1 crypto

+110

pkg/hold/pds/auth_test.go

··· 771 771 } 772 772 } 773 773 774 774 + // TestValidateBlobReadAccess_BlobWriteImpliesRead tests that blob:write grants read access 775 775 + func TestValidateBlobReadAccess_BlobWriteImpliesRead(t *testing.T) { 776 776 + ownerDID := "did:plc:owner123" 777 777 + 778 778 + pds, ctx := setupTestPDSWithBootstrap(t, ownerDID, false, false) 779 779 + 780 780 + // Verify captain record has public=false (private hold) 781 781 + _, captain, err := pds.GetCaptainRecord(ctx) 782 782 + if err != nil { 783 783 + t.Fatalf("Failed to get captain record: %v", err) 784 784 + } 785 785 + 786 786 + if captain.Public { 787 787 + t.Error("Expected public=false for captain record") 788 788 + } 789 789 + 790 790 + // Add crew member with ONLY blob:write permission (no blob:read) 791 791 + writerDID := "did:plc:writer123" 792 792 + _, err = pds.AddCrewMember(ctx, writerDID, "writer", []string{"blob:write"}) 793 793 + if err != nil { 794 794 + t.Fatalf("Failed to add crew writer: %v", err) 795 795 + } 796 796 + 797 797 + mockClient := &mockPDSClient{} 798 798 + 799 799 + // Test writer (has only blob:write permission) can read 800 800 + t.Run("crew with blob:write can read", func(t *testing.T) { 801 801 + dpopHelper, err := NewDPoPTestHelper(writerDID, "https://test-pds.example.com") 802 802 + if err != nil { 803 803 + t.Fatalf("Failed to create DPoP helper: %v", err) 804 804 + } 805 805 + 806 806 + req := httptest.NewRequest(http.MethodGet, "/test", nil) 807 807 + if err := dpopHelper.AddDPoPToRequest(req); err != nil { 808 808 + t.Fatalf("Failed to add DPoP to request: %v", err) 809 809 + } 810 810 + 811 811 + // This should SUCCEED because blob:write implies blob:read 812 812 + user, err := ValidateBlobReadAccess(req, pds, mockClient) 813 813 + if err != nil { 814 814 + t.Errorf("Expected blob:write to grant read access, got error: %v", err) 815 815 + } 816 816 + 817 817 + if user == nil { 818 818 + t.Error("Expected user to be returned for valid read access") 819 819 + } else if user.DID != writerDID { 820 820 + t.Errorf("Expected user DID %s, got %s", writerDID, user.DID) 821 821 + } 822 822 + }) 823 823 + 824 824 + // Also verify that crew with only blob:read still works 825 825 + t.Run("crew with blob:read can read", func(t *testing.T) { 826 826 + readerDID := "did:plc:reader123" 827 827 + _, err = pds.AddCrewMember(ctx, readerDID, "reader", []string{"blob:read"}) 828 828 + if err != nil { 829 829 + t.Fatalf("Failed to add crew reader: %v", err) 830 830 + } 831 831 + 832 832 + dpopHelper, err := NewDPoPTestHelper(readerDID, "https://test-pds.example.com") 833 833 + if err != nil { 834 834 + t.Fatalf("Failed to create DPoP helper: %v", err) 835 835 + } 836 836 + 837 837 + req := httptest.NewRequest(http.MethodGet, "/test", nil) 838 838 + if err := dpopHelper.AddDPoPToRequest(req); err != nil { 839 839 + t.Fatalf("Failed to add DPoP to request: %v", err) 840 840 + } 841 841 + 842 842 + user, err := ValidateBlobReadAccess(req, pds, mockClient) 843 843 + if err != nil { 844 844 + t.Errorf("Expected blob:read to grant read access, got error: %v", err) 845 845 + } 846 846 + 847 847 + if user == nil { 848 848 + t.Error("Expected user to be returned for valid read access") 849 849 + } else if user.DID != readerDID { 850 850 + t.Errorf("Expected user DID %s, got %s", readerDID, user.DID) 851 851 + } 852 852 + }) 853 853 + 854 854 + // Verify crew with neither permission cannot read 855 855 + t.Run("crew without read or write cannot read", func(t *testing.T) { 856 856 + noPermDID := "did:plc:noperm123" 857 857 + _, err = pds.AddCrewMember(ctx, noPermDID, "noperm", []string{"crew:admin"}) 858 858 + if err != nil { 859 859 + t.Fatalf("Failed to add crew member: %v", err) 860 860 + } 861 861 + 862 862 + dpopHelper, err := NewDPoPTestHelper(noPermDID, "https://test-pds.example.com") 863 863 + if err != nil { 864 864 + t.Fatalf("Failed to create DPoP helper: %v", err) 865 865 + } 866 866 + 867 867 + req := httptest.NewRequest(http.MethodGet, "/test", nil) 868 868 + if err := dpopHelper.AddDPoPToRequest(req); err != nil { 869 869 + t.Fatalf("Failed to add DPoP to request: %v", err) 870 870 + } 871 871 + 872 872 + _, err = ValidateBlobReadAccess(req, pds, mockClient) 873 873 + if err == nil { 874 874 + t.Error("Expected error for crew without read or write permission") 875 875 + } 876 876 + 877 877 + // Verify error message format 878 878 + if !strings.Contains(err.Error(), "access denied for blob:read") { 879 879 + t.Errorf("Expected structured error message, got: %v", err) 880 880 + } 881 881 + }) 882 882 + } 883 883 + 774 884 // TestValidateOwnerOrCrewAdmin tests admin permission checking 775 885 func TestValidateOwnerOrCrewAdmin(t *testing.T) { 776 886 ownerDID := "did:plc:owner123"

+4 -4

pkg/hold/pds/captain.go

··· 18 18 // CreateCaptainRecord creates the captain record for the hold (first-time only). 19 19 // This will FAIL if the captain record already exists. Use UpdateCaptainRecord to modify. 20 20 func (p *HoldPDS) CreateCaptainRecord(ctx context.Context, ownerDID string, public bool, allowAllCrew bool, enableBlueskyPosts bool) (cid.Cid, error) { 21 21 - captainRecord := &atproto.HoldCaptain{ 22 22 - LexiconTypeID: atproto.CaptainCollection, 21 21 + captainRecord := &atproto.CaptainRecord{ 22 22 + Type: atproto.CaptainCollection, 23 23 Owner: ownerDID, 24 24 Public: public, 25 25 AllowAllCrew: allowAllCrew, ··· 40 40 } 41 41 42 42 // GetCaptainRecord retrieves the captain record 43 43 - func (p *HoldPDS) GetCaptainRecord(ctx context.Context) (cid.Cid, *atproto.HoldCaptain, error) { 43 43 + func (p *HoldPDS) GetCaptainRecord(ctx context.Context) (cid.Cid, *atproto.CaptainRecord, error) { 44 44 // Use repomgr.GetRecord - our types are registered in init() 45 45 // so it will automatically unmarshal to the concrete type 46 46 recordCID, val, err := p.repomgr.GetRecord(ctx, p.uid, atproto.CaptainCollection, CaptainRkey, cid.Undef) ··· 49 49 } 50 50 51 51 // Type assert to our concrete type 52 52 - captainRecord, ok := val.(*atproto.HoldCaptain) 52 52 + captainRecord, ok := val.(*atproto.CaptainRecord) 53 53 if !ok { 54 54 return cid.Undef, nil, fmt.Errorf("unexpected type for captain record: %T", val) 55 55 }

+32 -43

pkg/hold/pds/captain_test.go

··· 12 12 "atcr.io/pkg/atproto" 13 13 ) 14 14 15 15 - // ptrString returns a pointer to the given string 16 16 - func ptrString(s string) *string { 17 17 - return &s 18 18 - } 19 19 - 20 15 // setupTestPDS creates a test PDS instance in a temporary directory 21 16 // It initializes the repo but does NOT create captain/crew records 22 17 // Tests should call Bootstrap or create records as needed ··· 151 146 if captain.EnableBlueskyPosts != tt.enableBlueskyPosts { 152 147 t.Errorf("Expected enableBlueskyPosts=%v, got %v", tt.enableBlueskyPosts, captain.EnableBlueskyPosts) 153 148 } 154 154 - if captain.LexiconTypeID != atproto.CaptainCollection { 155 155 - t.Errorf("Expected type %s, got %s", atproto.CaptainCollection, captain.LexiconTypeID) 149 149 + if captain.Type != atproto.CaptainCollection { 150 150 + t.Errorf("Expected type %s, got %s", atproto.CaptainCollection, captain.Type) 156 151 } 157 152 if captain.DeployedAt == "" { 158 153 t.Error("Expected deployedAt to be set") ··· 327 322 func TestCaptainRecord_CBORRoundtrip(t *testing.T) { 328 323 tests := []struct { 329 324 name string 330 330 - record *atproto.HoldCaptain 325 325 + record *atproto.CaptainRecord 331 326 }{ 332 327 { 333 328 name: "Basic captain", 334 334 - record: &atproto.HoldCaptain{ 335 335 - LexiconTypeID: atproto.CaptainCollection, 336 336 - Owner: "did:plc:alice123", 337 337 - Public: true, 338 338 - AllowAllCrew: false, 339 339 - DeployedAt: "2025-10-16T12:00:00Z", 329 329 + record: &atproto.CaptainRecord{ 330 330 + Type: atproto.CaptainCollection, 331 331 + Owner: "did:plc:alice123", 332 332 + Public: true, 333 333 + AllowAllCrew: false, 334 334 + DeployedAt: "2025-10-16T12:00:00Z", 340 335 }, 341 336 }, 342 337 { 343 338 name: "Captain with optional fields", 344 344 - record: &atproto.HoldCaptain{ 345 345 - LexiconTypeID: atproto.CaptainCollection, 346 346 - Owner: "did:plc:bob456", 347 347 - Public: false, 348 348 - AllowAllCrew: true, 349 349 - DeployedAt: "2025-10-16T12:00:00Z", 350 350 - Region: ptrString("us-west-2"), 351 351 - Provider: ptrString("fly.io"), 339 339 + record: &atproto.CaptainRecord{ 340 340 + Type: atproto.CaptainCollection, 341 341 + Owner: "did:plc:bob456", 342 342 + Public: false, 343 343 + AllowAllCrew: true, 344 344 + DeployedAt: "2025-10-16T12:00:00Z", 345 345 + Region: "us-west-2", 346 346 + Provider: "fly.io", 352 347 }, 353 348 }, 354 349 { 355 350 name: "Captain with empty optional fields", 356 356 - record: &atproto.HoldCaptain{ 357 357 - LexiconTypeID: atproto.CaptainCollection, 358 358 - Owner: "did:plc:charlie789", 359 359 - Public: true, 360 360 - AllowAllCrew: true, 361 361 - DeployedAt: "2025-10-16T12:00:00Z", 362 362 - Region: ptrString(""), 363 363 - Provider: ptrString(""), 351 351 + record: &atproto.CaptainRecord{ 352 352 + Type: atproto.CaptainCollection, 353 353 + Owner: "did:plc:charlie789", 354 354 + Public: true, 355 355 + AllowAllCrew: true, 356 356 + DeployedAt: "2025-10-16T12:00:00Z", 357 357 + Region: "", 358 358 + Provider: "", 364 359 }, 365 360 }, 366 361 } ··· 380 375 } 381 376 382 377 // Unmarshal from CBOR 383 383 - var decoded atproto.HoldCaptain 378 378 + var decoded atproto.CaptainRecord 384 379 err = decoded.UnmarshalCBOR(bytes.NewReader(cborBytes)) 385 380 if err != nil { 386 381 t.Fatalf("UnmarshalCBOR failed: %v", err) 387 382 } 388 383 389 384 // Verify all fields match 390 390 - if decoded.LexiconTypeID != tt.record.LexiconTypeID { 391 391 - t.Errorf("LexiconTypeID mismatch: expected %s, got %s", tt.record.LexiconTypeID, decoded.LexiconTypeID) 385 385 + if decoded.Type != tt.record.Type { 386 386 + t.Errorf("Type mismatch: expected %s, got %s", tt.record.Type, decoded.Type) 392 387 } 393 388 if decoded.Owner != tt.record.Owner { 394 389 t.Errorf("Owner mismatch: expected %s, got %s", tt.record.Owner, decoded.Owner) ··· 402 397 if decoded.DeployedAt != tt.record.DeployedAt { 403 398 t.Errorf("DeployedAt mismatch: expected %s, got %s", tt.record.DeployedAt, decoded.DeployedAt) 404 399 } 405 405 - // Compare Region pointers (may be nil) 406 406 - if (decoded.Region == nil) != (tt.record.Region == nil) { 407 407 - t.Errorf("Region nil mismatch: expected %v, got %v", tt.record.Region, decoded.Region) 408 408 - } else if decoded.Region != nil && *decoded.Region != *tt.record.Region { 409 409 - t.Errorf("Region mismatch: expected %q, got %q", *tt.record.Region, *decoded.Region) 400 400 + if decoded.Region != tt.record.Region { 401 401 + t.Errorf("Region mismatch: expected %s, got %s", tt.record.Region, decoded.Region) 410 402 } 411 411 - // Compare Provider pointers (may be nil) 412 412 - if (decoded.Provider == nil) != (tt.record.Provider == nil) { 413 413 - t.Errorf("Provider nil mismatch: expected %v, got %v", tt.record.Provider, decoded.Provider) 414 414 - } else if decoded.Provider != nil && *decoded.Provider != *tt.record.Provider { 415 415 - t.Errorf("Provider mismatch: expected %q, got %q", *tt.record.Provider, *decoded.Provider) 403 403 + if decoded.Provider != tt.record.Provider { 404 404 + t.Errorf("Provider mismatch: expected %s, got %s", tt.record.Provider, decoded.Provider) 416 405 } 417 406 }) 418 407 }

+10 -10

pkg/hold/pds/crew.go

··· 15 15 16 16 // AddCrewMember adds a new crew member to the hold and commits to carstore 17 17 func (p *HoldPDS) AddCrewMember(ctx context.Context, memberDID, role string, permissions []string) (cid.Cid, error) { 18 18 - crewRecord := &atproto.HoldCrew{ 19 19 - LexiconTypeID: atproto.CrewCollection, 20 20 - Member: memberDID, 21 21 - Role: role, 22 22 - Permissions: permissions, 23 23 - AddedAt: time.Now().Format(time.RFC3339), 18 18 + crewRecord := &atproto.CrewRecord{ 19 19 + Type: atproto.CrewCollection, 20 20 + Member: memberDID, 21 21 + Role: role, 22 22 + Permissions: permissions, 23 23 + AddedAt: time.Now().Format(time.RFC3339), 24 24 } 25 25 26 26 // Use repomgr for crew operations - auto-generated rkey is fine ··· 33 33 } 34 34 35 35 // GetCrewMember retrieves a crew member by their record key 36 36 - func (p *HoldPDS) GetCrewMember(ctx context.Context, rkey string) (cid.Cid, *atproto.HoldCrew, error) { 36 36 + func (p *HoldPDS) GetCrewMember(ctx context.Context, rkey string) (cid.Cid, *atproto.CrewRecord, error) { 37 37 // Use repomgr.GetRecord - our types are registered in init() 38 38 recordCID, val, err := p.repomgr.GetRecord(ctx, p.uid, atproto.CrewCollection, rkey, cid.Undef) 39 39 if err != nil { ··· 41 41 } 42 42 43 43 // Type assert to our concrete type 44 44 - crewRecord, ok := val.(*atproto.HoldCrew) 44 44 + crewRecord, ok := val.(*atproto.CrewRecord) 45 45 if !ok { 46 46 return cid.Undef, nil, fmt.Errorf("unexpected type for crew record: %T", val) 47 47 } ··· 53 53 type CrewMemberWithKey struct { 54 54 Rkey string 55 55 Cid cid.Cid 56 56 - Record *atproto.HoldCrew 56 56 + Record *atproto.CrewRecord 57 57 } 58 58 59 59 // ListCrewMembers returns all crew members with their rkeys ··· 108 108 } 109 109 110 110 // Unmarshal the CBOR bytes into our concrete type 111 111 - var crewRecord atproto.HoldCrew 111 111 + var crewRecord atproto.CrewRecord 112 112 if err := crewRecord.UnmarshalCBOR(bytes.NewReader(*recBytes)); err != nil { 113 113 return fmt.Errorf("failed to decode crew record: %w", err) 114 114 }

+30 -30

pkg/hold/pds/crew_test.go

··· 53 53 t.Errorf("Expected permission[%d]=%s, got %s", i, perm, crew.Record.Permissions[i]) 54 54 } 55 55 } 56 56 - if crew.Record.LexiconTypeID != atproto.CrewCollection { 57 57 - t.Errorf("Expected type %s, got %s", atproto.CrewCollection, crew.Record.LexiconTypeID) 56 56 + if crew.Record.Type != atproto.CrewCollection { 57 57 + t.Errorf("Expected type %s, got %s", atproto.CrewCollection, crew.Record.Type) 58 58 } 59 59 if crew.Record.AddedAt == "" { 60 60 t.Error("Expected addedAt to be set") ··· 348 348 func TestCrewRecord_CBORRoundtrip(t *testing.T) { 349 349 tests := []struct { 350 350 name string 351 351 - record *atproto.HoldCrew 351 351 + record *atproto.CrewRecord 352 352 }{ 353 353 { 354 354 name: "Basic crew member", 355 355 - record: &atproto.HoldCrew{ 356 356 - LexiconTypeID: atproto.CrewCollection, 357 357 - Member: "did:plc:alice123", 358 358 - Role: "writer", 359 359 - Permissions: []string{"blob:read", "blob:write"}, 360 360 - AddedAt: "2025-10-16T12:00:00Z", 355 355 + record: &atproto.CrewRecord{ 356 356 + Type: atproto.CrewCollection, 357 357 + Member: "did:plc:alice123", 358 358 + Role: "writer", 359 359 + Permissions: []string{"blob:read", "blob:write"}, 360 360 + AddedAt: "2025-10-16T12:00:00Z", 361 361 }, 362 362 }, 363 363 { 364 364 name: "Admin crew member", 365 365 - record: &atproto.HoldCrew{ 366 366 - LexiconTypeID: atproto.CrewCollection, 367 367 - Member: "did:plc:bob456", 368 368 - Role: "admin", 369 369 - Permissions: []string{"blob:read", "blob:write", "crew:admin"}, 370 370 - AddedAt: "2025-10-16T13:00:00Z", 365 365 + record: &atproto.CrewRecord{ 366 366 + Type: atproto.CrewCollection, 367 367 + Member: "did:plc:bob456", 368 368 + Role: "admin", 369 369 + Permissions: []string{"blob:read", "blob:write", "crew:admin"}, 370 370 + AddedAt: "2025-10-16T13:00:00Z", 371 371 }, 372 372 }, 373 373 { 374 374 name: "Reader crew member", 375 375 - record: &atproto.HoldCrew{ 376 376 - LexiconTypeID: atproto.CrewCollection, 377 377 - Member: "did:plc:charlie789", 378 378 - Role: "reader", 379 379 - Permissions: []string{"blob:read"}, 380 380 - AddedAt: "2025-10-16T14:00:00Z", 375 375 + record: &atproto.CrewRecord{ 376 376 + Type: atproto.CrewCollection, 377 377 + Member: "did:plc:charlie789", 378 378 + Role: "reader", 379 379 + Permissions: []string{"blob:read"}, 380 380 + AddedAt: "2025-10-16T14:00:00Z", 381 381 }, 382 382 }, 383 383 { 384 384 name: "Crew member with empty permissions", 385 385 - record: &atproto.HoldCrew{ 386 386 - LexiconTypeID: atproto.CrewCollection, 387 387 - Member: "did:plc:dave012", 388 388 - Role: "none", 389 389 - Permissions: []string{}, 390 390 - AddedAt: "2025-10-16T15:00:00Z", 385 385 + record: &atproto.CrewRecord{ 386 386 + Type: atproto.CrewCollection, 387 387 + Member: "did:plc:dave012", 388 388 + Role: "none", 389 389 + Permissions: []string{}, 390 390 + AddedAt: "2025-10-16T15:00:00Z", 391 391 }, 392 392 }, 393 393 } ··· 407 407 } 408 408 409 409 // Unmarshal from CBOR 410 410 - var decoded atproto.HoldCrew 410 410 + var decoded atproto.CrewRecord 411 411 err = decoded.UnmarshalCBOR(bytes.NewReader(cborBytes)) 412 412 if err != nil { 413 413 t.Fatalf("UnmarshalCBOR failed: %v", err) 414 414 } 415 415 416 416 // Verify all fields match 417 417 - if decoded.LexiconTypeID != tt.record.LexiconTypeID { 418 418 - t.Errorf("LexiconTypeID mismatch: expected %s, got %s", tt.record.LexiconTypeID, decoded.LexiconTypeID) 417 417 + if decoded.Type != tt.record.Type { 418 418 + t.Errorf("Type mismatch: expected %s, got %s", tt.record.Type, decoded.Type) 419 419 } 420 420 if decoded.Member != tt.record.Member { 421 421 t.Errorf("Member mismatch: expected %s, got %s", tt.record.Member, decoded.Member)

+5 -5

pkg/hold/pds/layer.go

··· 9 9 10 10 // CreateLayerRecord creates a new layer record in the hold's PDS 11 11 // Returns the rkey and CID of the created record 12 12 - func (p *HoldPDS) CreateLayerRecord(ctx context.Context, record *atproto.HoldLayer) (string, string, error) { 12 12 + func (p *HoldPDS) CreateLayerRecord(ctx context.Context, record *atproto.LayerRecord) (string, string, error) { 13 13 // Validate record 14 14 - if record.LexiconTypeID != atproto.LayerCollection { 15 15 - return "", "", fmt.Errorf("invalid record type: %s", record.LexiconTypeID) 14 14 + if record.Type != atproto.LayerCollection { 15 15 + return "", "", fmt.Errorf("invalid record type: %s", record.Type) 16 16 } 17 17 18 18 if record.Digest == "" { ··· 40 40 41 41 // GetLayerRecord retrieves a specific layer record by rkey 42 42 // Note: This is a simplified implementation. For production, you may need to pass the CID 43 43 - func (p *HoldPDS) GetLayerRecord(ctx context.Context, rkey string) (*atproto.HoldLayer, error) { 43 43 + func (p *HoldPDS) GetLayerRecord(ctx context.Context, rkey string) (*atproto.LayerRecord, error) { 44 44 // For now, we don't implement this as it's not needed for the manifest post feature 45 45 // Full implementation would require querying the carstore with a specific CID 46 46 return nil, fmt.Errorf("GetLayerRecord not yet implemented - use via XRPC listRecords instead") ··· 50 50 // Returns records, next cursor (empty if no more), and error 51 51 // Note: This is a simplified implementation. For production, consider adding filters 52 52 // (by repository, user, digest, etc.) and proper pagination 53 53 - func (p *HoldPDS) ListLayerRecords(ctx context.Context, limit int, cursor string) ([]*atproto.HoldLayer, string, error) { 53 53 + func (p *HoldPDS) ListLayerRecords(ctx context.Context, limit int, cursor string) ([]*atproto.LayerRecord, string, error) { 54 54 // For now, return empty list - full implementation would query the carstore 55 55 // This would require iterating over records in the collection and filtering 56 56 // In practice, layer records are mainly for analytics and Bluesky posts,

+19 -19

pkg/hold/pds/layer_test.go

··· 12 12 13 13 tests := []struct { 14 14 name string 15 15 - record *atproto.HoldLayer 15 15 + record *atproto.LayerRecord 16 16 wantErr bool 17 17 errSubstr string 18 18 }{ ··· 42 42 }, 43 43 { 44 44 name: "invalid record type", 45 45 - record: &atproto.HoldLayer{ 46 46 - LexiconTypeID: "wrong.type", 45 45 + record: &atproto.LayerRecord{ 46 46 + Type: "wrong.type", 47 47 Digest: "sha256:abc123", 48 48 Size: 1024, 49 49 MediaType: "application/vnd.oci.image.layer.v1.tar", 50 50 Repository: "test", 51 51 - UserDid: "did:plc:test", 51 51 + UserDID: "did:plc:test", 52 52 UserHandle: "test.example.com", 53 53 }, 54 54 wantErr: true, ··· 56 56 }, 57 57 { 58 58 name: "missing digest", 59 59 - record: &atproto.HoldLayer{ 60 60 - LexiconTypeID: atproto.LayerCollection, 59 59 + record: &atproto.LayerRecord{ 60 60 + Type: atproto.LayerCollection, 61 61 Digest: "", 62 62 Size: 1024, 63 63 MediaType: "application/vnd.oci.image.layer.v1.tar", 64 64 Repository: "test", 65 65 - UserDid: "did:plc:test", 65 65 + UserDID: "did:plc:test", 66 66 UserHandle: "test.example.com", 67 67 }, 68 68 wantErr: true, ··· 70 70 }, 71 71 { 72 72 name: "zero size", 73 73 - record: &atproto.HoldLayer{ 74 74 - LexiconTypeID: atproto.LayerCollection, 73 73 + record: &atproto.LayerRecord{ 74 74 + Type: atproto.LayerCollection, 75 75 Digest: "sha256:abc123", 76 76 Size: 0, 77 77 MediaType: "application/vnd.oci.image.layer.v1.tar", 78 78 Repository: "test", 79 79 - UserDid: "did:plc:test", 79 79 + UserDID: "did:plc:test", 80 80 UserHandle: "test.example.com", 81 81 }, 82 82 wantErr: true, ··· 84 84 }, 85 85 { 86 86 name: "negative size", 87 87 - record: &atproto.HoldLayer{ 88 88 - LexiconTypeID: atproto.LayerCollection, 87 87 + record: &atproto.LayerRecord{ 88 88 + Type: atproto.LayerCollection, 89 89 Digest: "sha256:abc123", 90 90 Size: -1, 91 91 MediaType: "application/vnd.oci.image.layer.v1.tar", 92 92 Repository: "test", 93 93 - UserDid: "did:plc:test", 93 93 + UserDID: "did:plc:test", 94 94 UserHandle: "test.example.com", 95 95 }, 96 96 wantErr: true, ··· 191 191 } 192 192 193 193 // Verify all fields are set correctly 194 194 - if record.LexiconTypeID != atproto.LayerCollection { 195 195 - t.Errorf("LexiconTypeID = %q, want %q", record.LexiconTypeID, atproto.LayerCollection) 194 194 + if record.Type != atproto.LayerCollection { 195 195 + t.Errorf("Type = %q, want %q", record.Type, atproto.LayerCollection) 196 196 } 197 197 198 198 if record.Digest != digest { ··· 211 211 t.Errorf("Repository = %q, want %q", record.Repository, repository) 212 212 } 213 213 214 214 - if record.UserDid != userDID { 215 215 - t.Errorf("UserDid = %q, want %q", record.UserDid, userDID) 214 214 + if record.UserDID != userDID { 215 215 + t.Errorf("UserDID = %q, want %q", record.UserDID, userDID) 216 216 } 217 217 218 218 if record.UserHandle != userHandle { ··· 282 282 } 283 283 284 284 // Verify the record can be created 285 285 - if record.LexiconTypeID != atproto.LayerCollection { 286 286 - t.Errorf("Type = %q, want %q", record.LexiconTypeID, atproto.LayerCollection) 285 285 + if record.Type != atproto.LayerCollection { 286 286 + t.Errorf("Type = %q, want %q", record.Type, atproto.LayerCollection) 287 287 } 288 288 289 289 if record.Digest != tt.digest {

+7 -3

pkg/hold/pds/server.go

··· 19 19 "github.com/ipfs/go-cid" 20 20 ) 21 21 22 22 - // init registers the TangledProfileRecord type with indigo's lexutil type registry. 23 23 - // Note: HoldCaptain, HoldCrew, and HoldLayer are registered in pkg/atproto/register.go (generated). 24 24 - // TangledProfileRecord is external (sh.tangled.actor.profile) so we register it here. 22 22 + // init registers our custom ATProto types with indigo's lexutil type registry 23 23 + // This allows repomgr.GetRecord to automatically unmarshal our types 25 24 func init() { 25 25 + // Register captain, crew, tangled profile, and layer record types 26 26 + // These must match the $type field in the records 27 27 + lexutil.RegisterType(atproto.CaptainCollection, &atproto.CaptainRecord{}) 28 28 + lexutil.RegisterType(atproto.CrewCollection, &atproto.CrewRecord{}) 29 29 + lexutil.RegisterType(atproto.LayerCollection, &atproto.LayerRecord{}) 26 30 lexutil.RegisterType(atproto.TangledProfileCollection, &atproto.TangledProfileRecord{}) 27 31 } 28 32

+6 -6

pkg/hold/pds/server_test.go

··· 150 150 if captain.AllowAllCrew != allowAllCrew { 151 151 t.Errorf("Expected allowAllCrew=%v, got %v", allowAllCrew, captain.AllowAllCrew) 152 152 } 153 153 - if captain.LexiconTypeID != atproto.CaptainCollection { 154 154 - t.Errorf("Expected type %s, got %s", atproto.CaptainCollection, captain.LexiconTypeID) 153 153 + if captain.Type != atproto.CaptainCollection { 154 154 + t.Errorf("Expected type %s, got %s", atproto.CaptainCollection, captain.Type) 155 155 } 156 156 if captain.DeployedAt == "" { 157 157 t.Error("Expected deployedAt to be set") ··· 317 317 if captain == nil { 318 318 t.Fatal("Expected non-nil captain record") 319 319 } 320 320 - if captain.LexiconTypeID != atproto.CaptainCollection { 321 321 - t.Errorf("Expected captain type %s, got %s", atproto.CaptainCollection, captain.LexiconTypeID) 320 320 + if captain.Type != atproto.CaptainCollection { 321 321 + t.Errorf("Expected captain type %s, got %s", atproto.CaptainCollection, captain.Type) 322 322 } 323 323 324 324 // Do the same for crew record ··· 331 331 } 332 332 333 333 crew := crewMembers[0].Record 334 334 - if crew.LexiconTypeID != atproto.CrewCollection { 335 335 - t.Errorf("Expected crew type %s, got %s", atproto.CrewCollection, crew.LexiconTypeID) 334 334 + if crew.Type != atproto.CrewCollection { 335 335 + t.Errorf("Expected crew type %s, got %s", atproto.CrewCollection, crew.Type) 336 336 } 337 337 } 338 338