+1 -1

README.md

··· 25 25 - [x] com.atproto.repo.deleteRecord 26 26 - [x] com.atproto.repo.describeRepo 27 27 - [x] com.atproto.repo.getRecord 28 28 - - [ ] com.atproto.repo.importRepo 28 28 + - [x] com.atproto.repo.importRepo (Works "okay". You still have to handle PLC operations on your own when migrating. Use with extreme caution.) 29 29 - [x] com.atproto.repo.listRecords 30 30 - [ ] com.atproto.repo.listMissingBlobs 31 31

+269

server/middleware.go

··· 1 1 + package server 2 2 + 3 3 + import ( 4 4 + "crypto/sha256" 5 5 + "encoding/base64" 6 6 + "fmt" 7 7 + "strings" 8 8 + "time" 9 9 + 10 10 + "github.com/Azure/go-autorest/autorest/to" 11 11 + "github.com/golang-jwt/jwt/v4" 12 12 + "github.com/haileyok/cocoon/internal/helpers" 13 13 + "github.com/haileyok/cocoon/models" 14 14 + "github.com/haileyok/cocoon/oauth/provider" 15 15 + "github.com/labstack/echo/v4" 16 16 + "gitlab.com/yawning/secp256k1-voi" 17 17 + secp256k1secec "gitlab.com/yawning/secp256k1-voi/secec" 18 18 + "gorm.io/gorm" 19 19 + ) 20 20 + 21 21 + func (s *Server) handleAdminMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 22 22 + return func(e echo.Context) error { 23 23 + username, password, ok := e.Request().BasicAuth() 24 24 + if !ok || username != "admin" || password != s.config.AdminPassword { 25 25 + return helpers.InputError(e, to.StringPtr("Unauthorized")) 26 26 + } 27 27 + 28 28 + if err := next(e); err != nil { 29 29 + e.Error(err) 30 30 + } 31 31 + 32 32 + return nil 33 33 + } 34 34 + } 35 35 + 36 36 + func (s *Server) handleLegacySessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 37 37 + return func(e echo.Context) error { 38 38 + authheader := e.Request().Header.Get("authorization") 39 39 + if authheader == "" { 40 40 + return e.JSON(401, map[string]string{"error": "Unauthorized"}) 41 41 + } 42 42 + 43 43 + pts := strings.Split(authheader, " ") 44 44 + if len(pts) != 2 { 45 45 + return helpers.ServerError(e, nil) 46 46 + } 47 47 + 48 48 + // move on to oauth session middleware if this is a dpop token 49 49 + if pts[0] == "DPoP" { 50 50 + return next(e) 51 51 + } 52 52 + 53 53 + tokenstr := pts[1] 54 54 + token, _, err := new(jwt.Parser).ParseUnverified(tokenstr, jwt.MapClaims{}) 55 55 + claims, ok := token.Claims.(jwt.MapClaims) 56 56 + if !ok { 57 57 + return helpers.InputError(e, to.StringPtr("InvalidToken")) 58 58 + } 59 59 + 60 60 + var did string 61 61 + var repo *models.RepoActor 62 62 + 63 63 + // service auth tokens 64 64 + lxm, hasLxm := claims["lxm"] 65 65 + if hasLxm { 66 66 + pts := strings.Split(e.Request().URL.String(), "/") 67 67 + if lxm != pts[len(pts)-1] { 68 68 + s.logger.Error("service auth lxm incorrect", "lxm", lxm, "expected", pts[len(pts)-1], "error", err) 69 69 + return helpers.InputError(e, nil) 70 70 + } 71 71 + 72 72 + maybeDid, ok := claims["iss"].(string) 73 73 + if !ok { 74 74 + s.logger.Error("no iss in service auth token", "error", err) 75 75 + return helpers.InputError(e, nil) 76 76 + } 77 77 + did = maybeDid 78 78 + 79 79 + maybeRepo, err := s.getRepoActorByDid(did) 80 80 + if err != nil { 81 81 + s.logger.Error("error fetching repo", "error", err) 82 82 + return helpers.ServerError(e, nil) 83 83 + } 84 84 + repo = maybeRepo 85 85 + } 86 86 + 87 87 + if token.Header["alg"] != "ES256K" { 88 88 + token, err = new(jwt.Parser).Parse(tokenstr, func(t *jwt.Token) (any, error) { 89 89 + if _, ok := t.Method.(*jwt.SigningMethodECDSA); !ok { 90 90 + return nil, fmt.Errorf("unsupported signing method: %v", t.Header["alg"]) 91 91 + } 92 92 + return s.privateKey.Public(), nil 93 93 + }) 94 94 + if err != nil { 95 95 + s.logger.Error("error parsing jwt", "error", err) 96 96 + // NOTE: https://github.com/bluesky-social/atproto/discussions/3319 97 97 + return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"}) 98 98 + } 99 99 + 100 100 + if !token.Valid { 101 101 + return helpers.InputError(e, to.StringPtr("InvalidToken")) 102 102 + } 103 103 + } else { 104 104 + kpts := strings.Split(tokenstr, ".") 105 105 + signingInput := kpts[0] + "." + kpts[1] 106 106 + hash := sha256.Sum256([]byte(signingInput)) 107 107 + sigBytes, err := base64.RawURLEncoding.DecodeString(kpts[2]) 108 108 + if err != nil { 109 109 + s.logger.Error("error decoding signature bytes", "error", err) 110 110 + return helpers.ServerError(e, nil) 111 111 + } 112 112 + 113 113 + if len(sigBytes) != 64 { 114 114 + s.logger.Error("incorrect sigbytes length", "length", len(sigBytes)) 115 115 + return helpers.ServerError(e, nil) 116 116 + } 117 117 + 118 118 + rBytes := sigBytes[:32] 119 119 + sBytes := sigBytes[32:] 120 120 + rr, _ := secp256k1.NewScalarFromBytes((*[32]byte)(rBytes)) 121 121 + ss, _ := secp256k1.NewScalarFromBytes((*[32]byte)(sBytes)) 122 122 + 123 123 + sk, err := secp256k1secec.NewPrivateKey(repo.SigningKey) 124 124 + if err != nil { 125 125 + s.logger.Error("can't load private key", "error", err) 126 126 + return err 127 127 + } 128 128 + 129 129 + pubKey, ok := sk.Public().(*secp256k1secec.PublicKey) 130 130 + if !ok { 131 131 + s.logger.Error("error getting public key from sk") 132 132 + return helpers.ServerError(e, nil) 133 133 + } 134 134 + 135 135 + verified := pubKey.VerifyRaw(hash[:], rr, ss) 136 136 + if !verified { 137 137 + s.logger.Error("error verifying", "error", err) 138 138 + return helpers.ServerError(e, nil) 139 139 + } 140 140 + } 141 141 + 142 142 + isRefresh := e.Request().URL.Path == "/xrpc/com.atproto.server.refreshSession" 143 143 + scope, _ := claims["scope"].(string) 144 144 + 145 145 + if isRefresh && scope != "com.atproto.refresh" { 146 146 + return helpers.InputError(e, to.StringPtr("InvalidToken")) 147 147 + } else if !hasLxm && !isRefresh && scope != "com.atproto.access" { 148 148 + return helpers.InputError(e, to.StringPtr("InvalidToken")) 149 149 + } 150 150 + 151 151 + table := "tokens" 152 152 + if isRefresh { 153 153 + table = "refresh_tokens" 154 154 + } 155 155 + 156 156 + if isRefresh { 157 157 + type Result struct { 158 158 + Found bool 159 159 + } 160 160 + var result Result 161 161 + if err := s.db.Raw("SELECT EXISTS(SELECT 1 FROM "+table+" WHERE token = ?) AS found", nil, tokenstr).Scan(&result).Error; err != nil { 162 162 + if err == gorm.ErrRecordNotFound { 163 163 + return helpers.InputError(e, to.StringPtr("InvalidToken")) 164 164 + } 165 165 + 166 166 + s.logger.Error("error getting token from db", "error", err) 167 167 + return helpers.ServerError(e, nil) 168 168 + } 169 169 + 170 170 + if !result.Found { 171 171 + return helpers.InputError(e, to.StringPtr("InvalidToken")) 172 172 + } 173 173 + } 174 174 + 175 175 + exp, ok := claims["exp"].(float64) 176 176 + if !ok { 177 177 + s.logger.Error("error getting iat from token") 178 178 + return helpers.ServerError(e, nil) 179 179 + } 180 180 + 181 181 + if exp < float64(time.Now().UTC().Unix()) { 182 182 + return helpers.InputError(e, to.StringPtr("ExpiredToken")) 183 183 + } 184 184 + 185 185 + if repo == nil { 186 186 + maybeRepo, err := s.getRepoActorByDid(claims["sub"].(string)) 187 187 + if err != nil { 188 188 + s.logger.Error("error fetching repo", "error", err) 189 189 + return helpers.ServerError(e, nil) 190 190 + } 191 191 + repo = maybeRepo 192 192 + did = repo.Repo.Did 193 193 + } 194 194 + 195 195 + e.Set("repo", repo) 196 196 + e.Set("did", did) 197 197 + e.Set("token", tokenstr) 198 198 + 199 199 + if err := next(e); err != nil { 200 200 + e.Error(err) 201 201 + } 202 202 + 203 203 + return nil 204 204 + } 205 205 + } 206 206 + 207 207 + func (s *Server) handleOauthSessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 208 208 + return func(e echo.Context) error { 209 209 + authheader := e.Request().Header.Get("authorization") 210 210 + if authheader == "" { 211 211 + return e.JSON(401, map[string]string{"error": "Unauthorized"}) 212 212 + } 213 213 + 214 214 + pts := strings.Split(authheader, " ") 215 215 + if len(pts) != 2 { 216 216 + return helpers.ServerError(e, nil) 217 217 + } 218 218 + 219 219 + if pts[0] != "DPoP" { 220 220 + return next(e) 221 221 + } 222 222 + 223 223 + accessToken := pts[1] 224 224 + 225 225 + nonce := s.oauthProvider.NextNonce() 226 226 + if nonce != "" { 227 227 + e.Response().Header().Set("DPoP-Nonce", nonce) 228 228 + e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce") 229 229 + } 230 230 + 231 231 + proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, to.StringPtr(accessToken)) 232 232 + if err != nil { 233 233 + s.logger.Error("invalid dpop proof", "error", err) 234 234 + return helpers.InputError(e, to.StringPtr(err.Error())) 235 235 + } 236 236 + 237 237 + var oauthToken provider.OauthToken 238 238 + if err := s.db.Raw("SELECT * FROM oauth_tokens WHERE token = ?", nil, accessToken).Scan(&oauthToken).Error; err != nil { 239 239 + s.logger.Error("error finding access token in db", "error", err) 240 240 + return helpers.InputError(e, nil) 241 241 + } 242 242 + 243 243 + if oauthToken.Token == "" { 244 244 + return helpers.InputError(e, to.StringPtr("InvalidToken")) 245 245 + } 246 246 + 247 247 + if *oauthToken.Parameters.DpopJkt != proof.JKT { 248 248 + s.logger.Error("jkt mismatch", "token", oauthToken.Parameters.DpopJkt, "proof", proof.JKT) 249 249 + return helpers.InputError(e, to.StringPtr("dpop jkt mismatch")) 250 250 + } 251 251 + 252 252 + if time.Now().After(oauthToken.ExpiresAt) { 253 253 + return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"}) 254 254 + } 255 255 + 256 256 + repo, err := s.getRepoActorByDid(oauthToken.Sub) 257 257 + if err != nil { 258 258 + s.logger.Error("could not find actor in db", "error", err) 259 259 + return helpers.ServerError(e, nil) 260 260 + } 261 261 + 262 262 + e.Set("repo", repo) 263 263 + e.Set("did", repo.Repo.Did) 264 264 + e.Set("token", accessToken) 265 265 + e.Set("scopes", strings.Split(oauthToken.Parameters.Scope, " ")) 266 266 + 267 267 + return next(e) 268 268 + } 269 269 + }

+4 -261

server/server.go

··· 4 4 "bytes" 5 5 "context" 6 6 "crypto/ecdsa" 7 7 - "crypto/sha256" 8 7 "embed" 9 9 - "encoding/base64" 10 8 "errors" 11 9 "fmt" 12 10 "io" ··· 15 13 "net/smtp" 16 14 "os" 17 15 "path/filepath" 18 18 - "strings" 19 16 "sync" 20 17 "text/template" 21 18 "time" 22 19 23 23 - "github.com/Azure/go-autorest/autorest/to" 24 20 "github.com/aws/aws-sdk-go/aws" 25 21 "github.com/aws/aws-sdk-go/aws/credentials" 26 22 "github.com/aws/aws-sdk-go/aws/session" ··· 32 28 "github.com/bluesky-social/indigo/xrpc" 33 29 "github.com/domodwyer/mailyak/v3" 34 30 "github.com/go-playground/validator" 35 35 - "github.com/golang-jwt/jwt/v4" 36 31 "github.com/gorilla/sessions" 37 32 "github.com/haileyok/cocoon/identity" 38 33 "github.com/haileyok/cocoon/internal/db" ··· 47 42 "github.com/labstack/echo/v4" 48 43 "github.com/labstack/echo/v4/middleware" 49 44 slogecho "github.com/samber/slog-echo" 50 50 - "gitlab.com/yawning/secp256k1-voi" 51 51 - secp256k1secec "gitlab.com/yawning/secp256k1-voi/secec" 52 45 "gorm.io/driver/sqlite" 53 46 "gorm.io/gorm" 54 47 ) ··· 197 190 return t.templates.ExecuteTemplate(w, name, data) 198 191 } 199 192 200 200 - func (s *Server) handleAdminMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 201 201 - return func(e echo.Context) error { 202 202 - username, password, ok := e.Request().BasicAuth() 203 203 - if !ok || username != "admin" || password != s.config.AdminPassword { 204 204 - return helpers.InputError(e, to.StringPtr("Unauthorized")) 205 205 - } 206 206 - 207 207 - if err := next(e); err != nil { 208 208 - e.Error(err) 209 209 - } 210 210 - 211 211 - return nil 212 212 - } 213 213 - } 214 214 - 215 215 - func (s *Server) handleLegacySessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 216 216 - return func(e echo.Context) error { 217 217 - authheader := e.Request().Header.Get("authorization") 218 218 - if authheader == "" { 219 219 - return e.JSON(401, map[string]string{"error": "Unauthorized"}) 220 220 - } 221 221 - 222 222 - pts := strings.Split(authheader, " ") 223 223 - if len(pts) != 2 { 224 224 - return helpers.ServerError(e, nil) 225 225 - } 226 226 - 227 227 - // move on to oauth session middleware if this is a dpop token 228 228 - if pts[0] == "DPoP" { 229 229 - return next(e) 230 230 - } 231 231 - 232 232 - tokenstr := pts[1] 233 233 - token, _, err := new(jwt.Parser).ParseUnverified(tokenstr, jwt.MapClaims{}) 234 234 - claims, ok := token.Claims.(jwt.MapClaims) 235 235 - if !ok { 236 236 - return helpers.InputError(e, to.StringPtr("InvalidToken")) 237 237 - } 238 238 - 239 239 - var did string 240 240 - var repo *models.RepoActor 241 241 - 242 242 - // service auth tokens 243 243 - lxm, hasLxm := claims["lxm"] 244 244 - if hasLxm { 245 245 - pts := strings.Split(e.Request().URL.String(), "/") 246 246 - if lxm != pts[len(pts)-1] { 247 247 - s.logger.Error("service auth lxm incorrect", "lxm", lxm, "expected", pts[len(pts)-1], "error", err) 248 248 - return helpers.InputError(e, nil) 249 249 - } 250 250 - 251 251 - maybeDid, ok := claims["iss"].(string) 252 252 - if !ok { 253 253 - s.logger.Error("no iss in service auth token", "error", err) 254 254 - return helpers.InputError(e, nil) 255 255 - } 256 256 - did = maybeDid 257 257 - 258 258 - maybeRepo, err := s.getRepoActorByDid(did) 259 259 - if err != nil { 260 260 - s.logger.Error("error fetching repo", "error", err) 261 261 - return helpers.ServerError(e, nil) 262 262 - } 263 263 - repo = maybeRepo 264 264 - } 265 265 - 266 266 - if token.Header["alg"] != "ES256K" { 267 267 - token, err = new(jwt.Parser).Parse(tokenstr, func(t *jwt.Token) (any, error) { 268 268 - if _, ok := t.Method.(*jwt.SigningMethodECDSA); !ok { 269 269 - return nil, fmt.Errorf("unsupported signing method: %v", t.Header["alg"]) 270 270 - } 271 271 - return s.privateKey.Public(), nil 272 272 - }) 273 273 - if err != nil { 274 274 - s.logger.Error("error parsing jwt", "error", err) 275 275 - // NOTE: https://github.com/bluesky-social/atproto/discussions/3319 276 276 - return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"}) 277 277 - } 278 278 - 279 279 - if !token.Valid { 280 280 - return helpers.InputError(e, to.StringPtr("InvalidToken")) 281 281 - } 282 282 - } else { 283 283 - kpts := strings.Split(tokenstr, ".") 284 284 - signingInput := kpts[0] + "." + kpts[1] 285 285 - hash := sha256.Sum256([]byte(signingInput)) 286 286 - sigBytes, err := base64.RawURLEncoding.DecodeString(kpts[2]) 287 287 - if err != nil { 288 288 - s.logger.Error("error decoding signature bytes", "error", err) 289 289 - return helpers.ServerError(e, nil) 290 290 - } 291 291 - 292 292 - if len(sigBytes) != 64 { 293 293 - s.logger.Error("incorrect sigbytes length", "length", len(sigBytes)) 294 294 - return helpers.ServerError(e, nil) 295 295 - } 296 296 - 297 297 - rBytes := sigBytes[:32] 298 298 - sBytes := sigBytes[32:] 299 299 - rr, _ := secp256k1.NewScalarFromBytes((*[32]byte)(rBytes)) 300 300 - ss, _ := secp256k1.NewScalarFromBytes((*[32]byte)(sBytes)) 301 301 - 302 302 - sk, err := secp256k1secec.NewPrivateKey(repo.SigningKey) 303 303 - if err != nil { 304 304 - s.logger.Error("can't load private key", "error", err) 305 305 - return err 306 306 - } 307 307 - 308 308 - pubKey, ok := sk.Public().(*secp256k1secec.PublicKey) 309 309 - if !ok { 310 310 - s.logger.Error("error getting public key from sk") 311 311 - return helpers.ServerError(e, nil) 312 312 - } 313 313 - 314 314 - verified := pubKey.VerifyRaw(hash[:], rr, ss) 315 315 - if !verified { 316 316 - s.logger.Error("error verifying", "error", err) 317 317 - return helpers.ServerError(e, nil) 318 318 - } 319 319 - } 320 320 - 321 321 - isRefresh := e.Request().URL.Path == "/xrpc/com.atproto.server.refreshSession" 322 322 - scope, _ := claims["scope"].(string) 323 323 - 324 324 - if isRefresh && scope != "com.atproto.refresh" { 325 325 - return helpers.InputError(e, to.StringPtr("InvalidToken")) 326 326 - } else if !hasLxm && !isRefresh && scope != "com.atproto.access" { 327 327 - return helpers.InputError(e, to.StringPtr("InvalidToken")) 328 328 - } 329 329 - 330 330 - table := "tokens" 331 331 - if isRefresh { 332 332 - table = "refresh_tokens" 333 333 - } 334 334 - 335 335 - if isRefresh { 336 336 - type Result struct { 337 337 - Found bool 338 338 - } 339 339 - var result Result 340 340 - if err := s.db.Raw("SELECT EXISTS(SELECT 1 FROM "+table+" WHERE token = ?) AS found", nil, tokenstr).Scan(&result).Error; err != nil { 341 341 - if err == gorm.ErrRecordNotFound { 342 342 - return helpers.InputError(e, to.StringPtr("InvalidToken")) 343 343 - } 344 344 - 345 345 - s.logger.Error("error getting token from db", "error", err) 346 346 - return helpers.ServerError(e, nil) 347 347 - } 348 348 - 349 349 - if !result.Found { 350 350 - return helpers.InputError(e, to.StringPtr("InvalidToken")) 351 351 - } 352 352 - } 353 353 - 354 354 - exp, ok := claims["exp"].(float64) 355 355 - if !ok { 356 356 - s.logger.Error("error getting iat from token") 357 357 - return helpers.ServerError(e, nil) 358 358 - } 359 359 - 360 360 - if exp < float64(time.Now().UTC().Unix()) { 361 361 - return helpers.InputError(e, to.StringPtr("ExpiredToken")) 362 362 - } 363 363 - 364 364 - if repo == nil { 365 365 - maybeRepo, err := s.getRepoActorByDid(claims["sub"].(string)) 366 366 - if err != nil { 367 367 - s.logger.Error("error fetching repo", "error", err) 368 368 - return helpers.ServerError(e, nil) 369 369 - } 370 370 - repo = maybeRepo 371 371 - did = repo.Repo.Did 372 372 - } 373 373 - 374 374 - e.Set("repo", repo) 375 375 - e.Set("did", did) 376 376 - e.Set("token", tokenstr) 377 377 - 378 378 - if err := next(e); err != nil { 379 379 - e.Error(err) 380 380 - } 381 381 - 382 382 - return nil 383 383 - } 384 384 - } 385 385 - 386 386 - func (s *Server) handleOauthSessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc { 387 387 - return func(e echo.Context) error { 388 388 - authheader := e.Request().Header.Get("authorization") 389 389 - if authheader == "" { 390 390 - return e.JSON(401, map[string]string{"error": "Unauthorized"}) 391 391 - } 392 392 - 393 393 - pts := strings.Split(authheader, " ") 394 394 - if len(pts) != 2 { 395 395 - return helpers.ServerError(e, nil) 396 396 - } 397 397 - 398 398 - if pts[0] != "DPoP" { 399 399 - return next(e) 400 400 - } 401 401 - 402 402 - accessToken := pts[1] 403 403 - 404 404 - nonce := s.oauthProvider.NextNonce() 405 405 - if nonce != "" { 406 406 - e.Response().Header().Set("DPoP-Nonce", nonce) 407 407 - e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce") 408 408 - } 409 409 - 410 410 - proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, to.StringPtr(accessToken)) 411 411 - if err != nil { 412 412 - s.logger.Error("invalid dpop proof", "error", err) 413 413 - return helpers.InputError(e, to.StringPtr(err.Error())) 414 414 - } 415 415 - 416 416 - var oauthToken provider.OauthToken 417 417 - if err := s.db.Raw("SELECT * FROM oauth_tokens WHERE token = ?", nil, accessToken).Scan(&oauthToken).Error; err != nil { 418 418 - s.logger.Error("error finding access token in db", "error", err) 419 419 - return helpers.InputError(e, nil) 420 420 - } 421 421 - 422 422 - if oauthToken.Token == "" { 423 423 - return helpers.InputError(e, to.StringPtr("InvalidToken")) 424 424 - } 425 425 - 426 426 - if *oauthToken.Parameters.DpopJkt != proof.JKT { 427 427 - s.logger.Error("jkt mismatch", "token", oauthToken.Parameters.DpopJkt, "proof", proof.JKT) 428 428 - return helpers.InputError(e, to.StringPtr("dpop jkt mismatch")) 429 429 - } 430 430 - 431 431 - if time.Now().After(oauthToken.ExpiresAt) { 432 432 - return e.JSON(400, map[string]string{"error": "ExpiredToken", "message": "token has expired"}) 433 433 - } 434 434 - 435 435 - repo, err := s.getRepoActorByDid(oauthToken.Sub) 436 436 - if err != nil { 437 437 - s.logger.Error("could not find actor in db", "error", err) 438 438 - return helpers.ServerError(e, nil) 439 439 - } 440 440 - 441 441 - e.Set("repo", repo) 442 442 - e.Set("did", repo.Repo.Did) 443 443 - e.Set("token", accessToken) 444 444 - e.Set("scopes", strings.Split(oauthToken.Parameters.Scope, " ")) 445 445 - 446 446 - return next(e) 447 447 - } 448 448 - } 449 449 - 450 193 func New(args *Args) (*Server, error) { 451 194 if args.Addr == "" { 452 195 return nil, fmt.Errorf("addr must be set") ··· 726 469 s.echo.GET("/xrpc/app.bsky.actor.getPreferences", s.handleActorGetPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 727 470 s.echo.POST("/xrpc/app.bsky.actor.putPreferences", s.handleActorPutPreferences, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 728 471 729 729 - // are there any routes that we should be allowing without auth? i dont think so but idk 730 730 - s.echo.GET("/xrpc/*", s.handleProxy, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 731 731 - s.echo.POST("/xrpc/*", s.handleProxy, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 732 732 - 733 472 // admin routes 734 473 s.echo.POST("/xrpc/com.atproto.server.createInviteCode", s.handleCreateInviteCode, s.handleAdminMiddleware) 735 474 s.echo.POST("/xrpc/com.atproto.server.createInviteCodes", s.handleCreateInviteCodes, s.handleAdminMiddleware) 475 475 + 476 476 + // are there any routes that we should be allowing without auth? i dont think so but idk 477 477 + s.echo.GET("/xrpc/*", s.handleProxy, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 478 478 + s.echo.POST("/xrpc/*", s.handleProxy, s.handleLegacySessionMiddleware, s.handleOauthSessionMiddleware) 736 479 } 737 480 738 481 func (s *Server) Serve(ctx context.Context) error {