+12 -3

README.md

··· 8 8 9 9 - [x] Repo operations (createRecord, getRecord, putRecord, deleteRecord, applyWrites, listRecords) 10 10 - [x] Sync endpoints (getRepo, getRecord, subscribeRepos, listRepos, getLatestCommit) 11 11 - - [x] Auth (createSession, getSession) 11 11 + - [x] Auth (createSession, getSession, refreshSession) 12 12 - [x] Handle resolution (resolveHandle) 13 13 - [x] AppView proxy (app.bsky.* forwarding with service auth) 14 14 - [x] Relay notification (requestCrawl) 15 15 - [x] Single or multi-user (each DID gets isolated storage, no self-service signup yet) 16 16 - - [ ] Blob storage (uploadBlob, getBlob, listBlobs) 17 17 - - [ ] refreshSession 16 16 + - [x] Blob storage (uploadBlob, getBlob, listBlobs) 18 17 - [ ] deleteSession (logout) 19 18 - [ ] updateHandle 20 19 - [ ] importRepo ··· 63 62 wrangler secret put JWT_SECRET 64 63 wrangler secret put RELAY_HOST # optional 65 64 ``` 65 65 + 66 66 + ### Blob Storage 67 67 + 68 68 + Blobs (images, videos) are stored in Cloudflare R2. Create the bucket before deploying: 69 69 + 70 70 + ```bash 71 71 + npx wrangler r2 bucket create pds-blobs 72 72 + ``` 73 73 + 74 74 + The binding is already configured in `wrangler.toml`. Supported formats: JPEG, PNG, GIF, WebP, MP4. Max size: 50MB. Orphaned blobs are automatically cleaned up after 24 hours. 66 75 67 76 ## Testing 68 77

+888

docs/plans/2026-01-06-blob-support.md

··· 1 1 + # Blob Support Implementation Plan 2 2 + 3 3 + > **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task. 4 4 + 5 5 + **Goal:** Add blob (image/video) upload, storage, and retrieval to the PDS using Cloudflare R2. 6 6 + 7 7 + **Architecture:** Blobs stored in R2 bucket keyed by `{did}/{cid}`. Metadata tracked in SQLite tables (`blob`, `record_blob`) within each Durable Object. Orphan cleanup via DO alarm. MIME sniffing for security. 8 8 + 9 9 + **Tech Stack:** Cloudflare R2, Durable Object SQLite, Web Crypto API (SHA-256 for CID generation) 10 10 + 11 11 + --- 12 12 + 13 13 + ## Task 1: Add R2 Bucket Binding 14 14 + 15 15 + **Files:** 16 16 + - Modify: `wrangler.toml` 17 17 + 18 18 + **Step 1: Add R2 binding to wrangler.toml** 19 19 + 20 20 + Add after the existing migrations section: 21 21 + 22 22 + ```toml 23 23 + [[r2_buckets]] 24 24 + binding = "BLOBS" 25 25 + bucket_name = "pds-blobs" 26 26 + ``` 27 27 + 28 28 + **Step 2: Create R2 bucket (if not exists)** 29 29 + 30 30 + Run: `npx wrangler r2 bucket create pds-blobs` 31 31 + 32 32 + **Step 3: Commit** 33 33 + 34 34 + ```bash 35 35 + git add wrangler.toml 36 36 + git commit -m "feat: add R2 bucket binding for blob storage" 37 37 + ``` 38 38 + 39 39 + --- 40 40 + 41 41 + ## Task 2: Add Blob Database Schema 42 42 + 43 43 + **Files:** 44 44 + - Modify: `src/pds.js:1162-1190` (constructor schema initialization) 45 45 + 46 46 + **Step 1: Add blob and record_blob tables** 47 47 + 48 48 + In the `PersonalDataServer` constructor, after the existing `CREATE TABLE` statements (around line 1186), add: 49 49 + 50 50 + ```javascript 51 51 + CREATE TABLE IF NOT EXISTS blob ( 52 52 + cid TEXT PRIMARY KEY, 53 53 + mimeType TEXT NOT NULL, 54 54 + size INTEGER NOT NULL, 55 55 + createdAt TEXT NOT NULL 56 56 + ); 57 57 + 58 58 + CREATE TABLE IF NOT EXISTS record_blob ( 59 59 + blobCid TEXT NOT NULL, 60 60 + recordUri TEXT NOT NULL, 61 61 + PRIMARY KEY (blobCid, recordUri) 62 62 + ); 63 63 + ``` 64 64 + 65 65 + **Step 2: Test schema creation manually** 66 66 + 67 67 + Deploy and verify tables exist: 68 68 + ```bash 69 69 + npx wrangler deploy 70 70 + ``` 71 71 + 72 72 + **Step 3: Commit** 73 73 + 74 74 + ```bash 75 75 + git add src/pds.js 76 76 + git commit -m "feat: add blob and record_blob tables to schema" 77 77 + ``` 78 78 + 79 79 + --- 80 80 + 81 81 + ## Task 3: Implement MIME Type Sniffing 82 82 + 83 83 + **Files:** 84 84 + - Modify: `src/pds.js` (add after error helper, around line 30) 85 85 + - Test: `test/pds.test.js` 86 86 + 87 87 + **Step 1: Write the failing test** 88 88 + 89 89 + Add to `test/pds.test.js`: 90 90 + 91 91 + ```javascript 92 92 + import { 93 93 + // ... existing imports ... 94 94 + sniffMimeType, 95 95 + } from '../src/pds.js'; 96 96 + 97 97 + describe('MIME Type Sniffing', () => { 98 98 + test('detects JPEG', () => { 99 99 + const bytes = new Uint8Array([0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10]); 100 100 + assert.strictEqual(sniffMimeType(bytes), 'image/jpeg'); 101 101 + }); 102 102 + 103 103 + test('detects PNG', () => { 104 104 + const bytes = new Uint8Array([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]); 105 105 + assert.strictEqual(sniffMimeType(bytes), 'image/png'); 106 106 + }); 107 107 + 108 108 + test('detects GIF', () => { 109 109 + const bytes = new Uint8Array([0x47, 0x49, 0x46, 0x38, 0x39, 0x61]); 110 110 + assert.strictEqual(sniffMimeType(bytes), 'image/gif'); 111 111 + }); 112 112 + 113 113 + test('detects WebP', () => { 114 114 + const bytes = new Uint8Array([ 115 115 + 0x52, 0x49, 0x46, 0x46, // RIFF 116 116 + 0x00, 0x00, 0x00, 0x00, // size (ignored) 117 117 + 0x57, 0x45, 0x42, 0x50, // WEBP 118 118 + ]); 119 119 + assert.strictEqual(sniffMimeType(bytes), 'image/webp'); 120 120 + }); 121 121 + 122 122 + test('detects MP4', () => { 123 123 + const bytes = new Uint8Array([ 124 124 + 0x00, 0x00, 0x00, 0x18, // size 125 125 + 0x66, 0x74, 0x79, 0x70, // ftyp 126 126 + ]); 127 127 + assert.strictEqual(sniffMimeType(bytes), 'video/mp4'); 128 128 + }); 129 129 + 130 130 + test('returns null for unknown', () => { 131 131 + const bytes = new Uint8Array([0x00, 0x01, 0x02, 0x03]); 132 132 + assert.strictEqual(sniffMimeType(bytes), null); 133 133 + }); 134 134 + }); 135 135 + ``` 136 136 + 137 137 + **Step 2: Run test to verify it fails** 138 138 + 139 139 + Run: `npm test` 140 140 + Expected: FAIL with "sniffMimeType is not exported" 141 141 + 142 142 + **Step 3: Write minimal implementation** 143 143 + 144 144 + Add to `src/pds.js` after the error helper (around line 30): 145 145 + 146 146 + ```javascript 147 147 + // === MIME TYPE SNIFFING === 148 148 + // Detect file type from magic bytes (first 12 bytes) 149 149 + 150 150 + /** 151 151 + * Sniff MIME type from file magic bytes 152 152 + * @param {Uint8Array|ArrayBuffer} bytes - File bytes (only first 12 needed) 153 153 + * @returns {string|null} Detected MIME type or null if unknown 154 154 + */ 155 155 + export function sniffMimeType(bytes) { 156 156 + const arr = new Uint8Array(bytes.slice(0, 12)); 157 157 + 158 158 + // JPEG: FF D8 FF 159 159 + if (arr[0] === 0xff && arr[1] === 0xd8 && arr[2] === 0xff) { 160 160 + return 'image/jpeg'; 161 161 + } 162 162 + 163 163 + // PNG: 89 50 4E 47 0D 0A 1A 0A 164 164 + if ( 165 165 + arr[0] === 0x89 && 166 166 + arr[1] === 0x50 && 167 167 + arr[2] === 0x4e && 168 168 + arr[3] === 0x47 && 169 169 + arr[4] === 0x0d && 170 170 + arr[5] === 0x0a && 171 171 + arr[6] === 0x1a && 172 172 + arr[7] === 0x0a 173 173 + ) { 174 174 + return 'image/png'; 175 175 + } 176 176 + 177 177 + // GIF: 47 49 46 38 (GIF8) 178 178 + if ( 179 179 + arr[0] === 0x47 && 180 180 + arr[1] === 0x49 && 181 181 + arr[2] === 0x46 && 182 182 + arr[3] === 0x38 183 183 + ) { 184 184 + return 'image/gif'; 185 185 + } 186 186 + 187 187 + // WebP: RIFF....WEBP 188 188 + if ( 189 189 + arr[0] === 0x52 && 190 190 + arr[1] === 0x49 && 191 191 + arr[2] === 0x46 && 192 192 + arr[3] === 0x46 && 193 193 + arr[8] === 0x57 && 194 194 + arr[9] === 0x45 && 195 195 + arr[10] === 0x42 && 196 196 + arr[11] === 0x50 197 197 + ) { 198 198 + return 'image/webp'; 199 199 + } 200 200 + 201 201 + // MP4/MOV: ....ftyp at byte 4 202 202 + if ( 203 203 + arr[4] === 0x66 && 204 204 + arr[5] === 0x74 && 205 205 + arr[6] === 0x79 && 206 206 + arr[7] === 0x70 207 207 + ) { 208 208 + return 'video/mp4'; 209 209 + } 210 210 + 211 211 + return null; 212 212 + } 213 213 + ``` 214 214 + 215 215 + **Step 4: Run test to verify it passes** 216 216 + 217 217 + Run: `npm test` 218 218 + Expected: PASS 219 219 + 220 220 + **Step 5: Commit** 221 221 + 222 222 + ```bash 223 223 + git add src/pds.js test/pds.test.js 224 224 + git commit -m "feat: add MIME type sniffing from magic bytes" 225 225 + ``` 226 226 + 227 227 + --- 228 228 + 229 229 + ## Task 4: Implement Blob Ref Detection 230 230 + 231 231 + **Files:** 232 232 + - Modify: `src/pds.js` (add after sniffMimeType) 233 233 + - Test: `test/pds.test.js` 234 234 + 235 235 + **Step 1: Write the failing test** 236 236 + 237 237 + Add to `test/pds.test.js`: 238 238 + 239 239 + ```javascript 240 240 + import { 241 241 + // ... existing imports ... 242 242 + findBlobRefs, 243 243 + } from '../src/pds.js'; 244 244 + 245 245 + describe('Blob Ref Detection', () => { 246 246 + test('finds blob ref in simple object', () => { 247 247 + const record = { 248 248 + $type: 'app.bsky.feed.post', 249 249 + text: 'Hello', 250 250 + embed: { 251 251 + $type: 'app.bsky.embed.images', 252 252 + images: [ 253 253 + { 254 254 + image: { 255 255 + $type: 'blob', 256 256 + ref: { $link: 'bafkreiabc123' }, 257 257 + mimeType: 'image/jpeg', 258 258 + size: 1234, 259 259 + }, 260 260 + alt: 'test image', 261 261 + }, 262 262 + ], 263 263 + }, 264 264 + }; 265 265 + const refs = findBlobRefs(record); 266 266 + assert.deepStrictEqual(refs, ['bafkreiabc123']); 267 267 + }); 268 268 + 269 269 + test('finds multiple blob refs', () => { 270 270 + const record = { 271 271 + images: [ 272 272 + { image: { $type: 'blob', ref: { $link: 'cid1' }, mimeType: 'image/png', size: 100 } }, 273 273 + { image: { $type: 'blob', ref: { $link: 'cid2' }, mimeType: 'image/png', size: 200 } }, 274 274 + ], 275 275 + }; 276 276 + const refs = findBlobRefs(record); 277 277 + assert.deepStrictEqual(refs, ['cid1', 'cid2']); 278 278 + }); 279 279 + 280 280 + test('returns empty array when no blobs', () => { 281 281 + const record = { text: 'Hello world', count: 42 }; 282 282 + const refs = findBlobRefs(record); 283 283 + assert.deepStrictEqual(refs, []); 284 284 + }); 285 285 + 286 286 + test('handles null and primitives', () => { 287 287 + assert.deepStrictEqual(findBlobRefs(null), []); 288 288 + assert.deepStrictEqual(findBlobRefs('string'), []); 289 289 + assert.deepStrictEqual(findBlobRefs(42), []); 290 290 + }); 291 291 + }); 292 292 + ``` 293 293 + 294 294 + **Step 2: Run test to verify it fails** 295 295 + 296 296 + Run: `npm test` 297 297 + Expected: FAIL with "findBlobRefs is not exported" 298 298 + 299 299 + **Step 3: Write minimal implementation** 300 300 + 301 301 + Add to `src/pds.js` after sniffMimeType: 302 302 + 303 303 + ```javascript 304 304 + // === BLOB REF DETECTION === 305 305 + // Recursively find blob references in records 306 306 + 307 307 + /** 308 308 + * Find all blob CID references in a record 309 309 + * @param {*} obj - Record value to scan 310 310 + * @param {string[]} refs - Accumulator array (internal) 311 311 + * @returns {string[]} Array of blob CID strings 312 312 + */ 313 313 + export function findBlobRefs(obj, refs = []) { 314 314 + if (!obj || typeof obj !== 'object') { 315 315 + return refs; 316 316 + } 317 317 + 318 318 + // Check if this object is a blob ref 319 319 + if (obj.$type === 'blob' && obj.ref?.$link) { 320 320 + refs.push(obj.ref.$link); 321 321 + } 322 322 + 323 323 + // Recurse into arrays and objects 324 324 + if (Array.isArray(obj)) { 325 325 + for (const item of obj) { 326 326 + findBlobRefs(item, refs); 327 327 + } 328 328 + } else { 329 329 + for (const value of Object.values(obj)) { 330 330 + findBlobRefs(value, refs); 331 331 + } 332 332 + } 333 333 + 334 334 + return refs; 335 335 + } 336 336 + ``` 337 337 + 338 338 + **Step 4: Run test to verify it passes** 339 339 + 340 340 + Run: `npm test` 341 341 + Expected: PASS 342 342 + 343 343 + **Step 5: Commit** 344 344 + 345 345 + ```bash 346 346 + git add src/pds.js test/pds.test.js 347 347 + git commit -m "feat: add blob ref detection for records" 348 348 + ``` 349 349 + 350 350 + --- 351 351 + 352 352 + ## Task 5: Implement uploadBlob Endpoint 353 353 + 354 354 + **Files:** 355 355 + - Modify: `src/pds.js` (add route and handler) 356 356 + 357 357 + **Step 1: Add route to pdsRoutes** 358 358 + 359 359 + In `pdsRoutes` object (around line 1055), add: 360 360 + 361 361 + ```javascript 362 362 + '/xrpc/com.atproto.repo.uploadBlob': { 363 363 + method: 'POST', 364 364 + handler: (pds, req, _url) => pds.handleUploadBlob(req), 365 365 + }, 366 366 + ``` 367 367 + 368 368 + **Step 2: Add handler method to PersonalDataServer class** 369 369 + 370 370 + Add method to the class (after existing handlers): 371 371 + 372 372 + ```javascript 373 373 + async handleUploadBlob(request) { 374 374 + // Require auth 375 375 + const authResult = await this.requireAuth(request); 376 376 + if (authResult instanceof Response) return authResult; 377 377 + 378 378 + const did = await this.getDid(); 379 379 + if (!did) { 380 380 + return errorResponse('InvalidRequest', 'PDS not initialized', 400); 381 381 + } 382 382 + 383 383 + // Read body as ArrayBuffer 384 384 + const bodyBytes = await request.arrayBuffer(); 385 385 + const size = bodyBytes.byteLength; 386 386 + 387 387 + // Check size limit (50MB) 388 388 + const MAX_BLOB_SIZE = 50 * 1024 * 1024; 389 389 + if (size > MAX_BLOB_SIZE) { 390 390 + return errorResponse( 391 391 + 'BlobTooLarge', 392 392 + `Blob size ${size} exceeds maximum ${MAX_BLOB_SIZE}`, 393 393 + 400, 394 394 + ); 395 395 + } 396 396 + 397 397 + // Sniff MIME type, fall back to Content-Type header 398 398 + const contentType = request.headers.get('Content-Type') || 'application/octet-stream'; 399 399 + const sniffed = sniffMimeType(bodyBytes); 400 400 + const mimeType = sniffed || contentType; 401 401 + 402 402 + // Compute CID (reuse existing createCid) 403 403 + const cid = await createCid(new Uint8Array(bodyBytes)); 404 404 + const cidStr = cidToString(cid); 405 405 + 406 406 + // Check if blob already exists 407 407 + const existing = this.sql 408 408 + .exec('SELECT cid FROM blob WHERE cid = ?', cidStr) 409 409 + .toArray(); 410 410 + 411 411 + if (existing.length === 0) { 412 412 + // Upload to R2 413 413 + const r2Key = `${did}/${cidStr}`; 414 414 + await this.env.BLOBS.put(r2Key, bodyBytes, { 415 415 + httpMetadata: { contentType: mimeType }, 416 416 + }); 417 417 + 418 418 + // Insert metadata 419 419 + const createdAt = new Date().toISOString(); 420 420 + this.sql.exec( 421 421 + 'INSERT INTO blob (cid, mimeType, size, createdAt) VALUES (?, ?, ?, ?)', 422 422 + cidStr, 423 423 + mimeType, 424 424 + size, 425 425 + createdAt, 426 426 + ); 427 427 + } 428 428 + 429 429 + // Return BlobRef 430 430 + return Response.json({ 431 431 + blob: { 432 432 + $type: 'blob', 433 433 + ref: { $link: cidStr }, 434 434 + mimeType, 435 435 + size, 436 436 + }, 437 437 + }); 438 438 + } 439 439 + ``` 440 440 + 441 441 + **Step 3: Verify deployment** 442 442 + 443 443 + Run: `npx wrangler deploy` 444 444 + 445 445 + **Step 4: Test manually with curl** 446 446 + 447 447 + ```bash 448 448 + curl -X POST \ 449 449 + -H "Authorization: Bearer <access-token>" \ 450 450 + -H "Content-Type: image/png" \ 451 451 + --data-binary @test-image.png \ 452 452 + https://your-pds.workers.dev/xrpc/com.atproto.repo.uploadBlob 453 453 + ``` 454 454 + 455 455 + Expected: JSON response with blob ref 456 456 + 457 457 + **Step 5: Commit** 458 458 + 459 459 + ```bash 460 460 + git add src/pds.js 461 461 + git commit -m "feat: implement uploadBlob endpoint with R2 storage" 462 462 + ``` 463 463 + 464 464 + --- 465 465 + 466 466 + ## Task 6: Implement getBlob Endpoint 467 467 + 468 468 + **Files:** 469 469 + - Modify: `src/pds.js` (add route and handler) 470 470 + 471 471 + **Step 1: Add route to pdsRoutes** 472 472 + 473 473 + ```javascript 474 474 + '/xrpc/com.atproto.sync.getBlob': { 475 475 + handler: (pds, _req, url) => pds.handleGetBlob(url), 476 476 + }, 477 477 + ``` 478 478 + 479 479 + **Step 2: Add handler method** 480 480 + 481 481 + ```javascript 482 482 + async handleGetBlob(url) { 483 483 + const did = url.searchParams.get('did'); 484 484 + const cid = url.searchParams.get('cid'); 485 485 + 486 486 + if (!did || !cid) { 487 487 + return errorResponse('InvalidRequest', 'missing did or cid parameter', 400); 488 488 + } 489 489 + 490 490 + // Verify DID matches this DO 491 491 + const myDid = await this.getDid(); 492 492 + if (did !== myDid) { 493 493 + return errorResponse('InvalidRequest', 'DID does not match this repo', 400); 494 494 + } 495 495 + 496 496 + // Look up blob metadata 497 497 + const rows = this.sql 498 498 + .exec('SELECT mimeType, size FROM blob WHERE cid = ?', cid) 499 499 + .toArray(); 500 500 + 501 501 + if (rows.length === 0) { 502 502 + return errorResponse('BlobNotFound', 'blob not found', 404); 503 503 + } 504 504 + 505 505 + const { mimeType, size } = rows[0]; 506 506 + 507 507 + // Fetch from R2 508 508 + const r2Key = `${did}/${cid}`; 509 509 + const object = await this.env.BLOBS.get(r2Key); 510 510 + 511 511 + if (!object) { 512 512 + return errorResponse('BlobNotFound', 'blob not found in storage', 404); 513 513 + } 514 514 + 515 515 + // Return blob with security headers 516 516 + return new Response(object.body, { 517 517 + headers: { 518 518 + 'Content-Type': mimeType, 519 519 + 'Content-Length': String(size), 520 520 + 'X-Content-Type-Options': 'nosniff', 521 521 + 'Content-Security-Policy': "default-src 'none'; sandbox", 522 522 + 'Cache-Control': 'public, max-age=31536000, immutable', 523 523 + }, 524 524 + }); 525 525 + } 526 526 + ``` 527 527 + 528 528 + **Step 3: Deploy and test** 529 529 + 530 530 + Run: `npx wrangler deploy` 531 531 + 532 532 + Test: 533 533 + ```bash 534 534 + curl "https://your-pds.workers.dev/xrpc/com.atproto.sync.getBlob?did=did:plc:xxx&cid=bafkrei..." 535 535 + ``` 536 536 + 537 537 + **Step 4: Commit** 538 538 + 539 539 + ```bash 540 540 + git add src/pds.js 541 541 + git commit -m "feat: implement getBlob endpoint" 542 542 + ``` 543 543 + 544 544 + --- 545 545 + 546 546 + ## Task 7: Implement listBlobs Endpoint 547 547 + 548 548 + **Files:** 549 549 + - Modify: `src/pds.js` (add route and handler) 550 550 + 551 551 + **Step 1: Add route to pdsRoutes** 552 552 + 553 553 + ```javascript 554 554 + '/xrpc/com.atproto.sync.listBlobs': { 555 555 + handler: (pds, _req, url) => pds.handleListBlobs(url), 556 556 + }, 557 557 + ``` 558 558 + 559 559 + **Step 2: Add handler method** 560 560 + 561 561 + ```javascript 562 562 + async handleListBlobs(url) { 563 563 + const did = url.searchParams.get('did'); 564 564 + const cursor = url.searchParams.get('cursor'); 565 565 + const limit = Math.min(Number(url.searchParams.get('limit')) || 500, 1000); 566 566 + 567 567 + if (!did) { 568 568 + return errorResponse('InvalidRequest', 'missing did parameter', 400); 569 569 + } 570 570 + 571 571 + // Verify DID matches this DO 572 572 + const myDid = await this.getDid(); 573 573 + if (did !== myDid) { 574 574 + return errorResponse('InvalidRequest', 'DID does not match this repo', 400); 575 575 + } 576 576 + 577 577 + // Query blobs with pagination 578 578 + let query = 'SELECT cid, createdAt FROM blob'; 579 579 + const params = []; 580 580 + 581 581 + if (cursor) { 582 582 + query += ' WHERE createdAt > ?'; 583 583 + params.push(cursor); 584 584 + } 585 585 + 586 586 + query += ' ORDER BY createdAt ASC LIMIT ?'; 587 587 + params.push(limit + 1); // Fetch one extra to detect if there's more 588 588 + 589 589 + const rows = this.sql.exec(query, ...params).toArray(); 590 590 + 591 591 + // Determine if there's a next page 592 592 + let nextCursor = null; 593 593 + if (rows.length > limit) { 594 594 + rows.pop(); // Remove the extra row 595 595 + nextCursor = rows[rows.length - 1].createdAt; 596 596 + } 597 597 + 598 598 + return Response.json({ 599 599 + cids: rows.map((r) => r.cid), 600 600 + cursor: nextCursor, 601 601 + }); 602 602 + } 603 603 + ``` 604 604 + 605 605 + **Step 3: Deploy and test** 606 606 + 607 607 + Run: `npx wrangler deploy` 608 608 + 609 609 + Test: 610 610 + ```bash 611 611 + curl "https://your-pds.workers.dev/xrpc/com.atproto.sync.listBlobs?did=did:plc:xxx" 612 612 + ``` 613 613 + 614 614 + **Step 4: Commit** 615 615 + 616 616 + ```bash 617 617 + git add src/pds.js 618 618 + git commit -m "feat: implement listBlobs endpoint" 619 619 + ``` 620 620 + 621 621 + --- 622 622 + 623 623 + ## Task 8: Integrate Blob Association with createRecord 624 624 + 625 625 + **Files:** 626 626 + - Modify: `src/pds.js:1253` (createRecord method) 627 627 + 628 628 + **Step 1: Add blob association after record storage** 629 629 + 630 630 + In `createRecord` method, after storing the record in the `records` table (around line 1280), add: 631 631 + 632 632 + ```javascript 633 633 + // Associate blobs with this record 634 634 + const blobRefs = findBlobRefs(record); 635 635 + for (const blobCid of blobRefs) { 636 636 + // Verify blob exists 637 637 + const blobExists = this.sql 638 638 + .exec('SELECT cid FROM blob WHERE cid = ?', blobCid) 639 639 + .toArray(); 640 640 + 641 641 + if (blobExists.length === 0) { 642 642 + throw new Error(`BlobNotFound: ${blobCid}`); 643 643 + } 644 644 + 645 645 + // Create association 646 646 + this.sql.exec( 647 647 + 'INSERT OR IGNORE INTO record_blob (blobCid, recordUri) VALUES (?, ?)', 648 648 + blobCid, 649 649 + uri, 650 650 + ); 651 651 + } 652 652 + ``` 653 653 + 654 654 + **Step 2: Deploy and test** 655 655 + 656 656 + Test by uploading a blob, then creating a post that references it: 657 657 + 658 658 + ```bash 659 659 + # Upload blob 660 660 + BLOB=$(curl -X POST -H "Authorization: Bearer $TOKEN" \ 661 661 + -H "Content-Type: image/png" --data-binary @test.png \ 662 662 + https://your-pds.workers.dev/xrpc/com.atproto.repo.uploadBlob) 663 663 + 664 664 + echo $BLOB # Get the CID 665 665 + 666 666 + # Create post with image 667 667 + curl -X POST -H "Authorization: Bearer $TOKEN" \ 668 668 + -H "Content-Type: application/json" \ 669 669 + https://your-pds.workers.dev/xrpc/com.atproto.repo.createRecord \ 670 670 + -d '{ 671 671 + "repo": "did:plc:xxx", 672 672 + "collection": "app.bsky.feed.post", 673 673 + "record": { 674 674 + "$type": "app.bsky.feed.post", 675 675 + "text": "Hello with image!", 676 676 + "createdAt": "2026-01-06T12:00:00.000Z", 677 677 + "embed": { 678 678 + "$type": "app.bsky.embed.images", 679 679 + "images": [{ 680 680 + "image": { 681 681 + "$type": "blob", 682 682 + "ref": {"$link": "<cid-from-upload>"}, 683 683 + "mimeType": "image/png", 684 684 + "size": 1234 685 685 + }, 686 686 + "alt": "test" 687 687 + }] 688 688 + } 689 689 + } 690 690 + }' 691 691 + ``` 692 692 + 693 693 + **Step 3: Commit** 694 694 + 695 695 + ```bash 696 696 + git add src/pds.js 697 697 + git commit -m "feat: associate blobs with records on createRecord" 698 698 + ``` 699 699 + 700 700 + --- 701 701 + 702 702 + ## Task 9: Implement Blob Cleanup on deleteRecord 703 703 + 704 704 + **Files:** 705 705 + - Modify: `src/pds.js:1391` (deleteRecord method) 706 706 + 707 707 + **Step 1: Add blob cleanup after record deletion** 708 708 + 709 709 + In `deleteRecord` method, after deleting the record from the `records` table, add: 710 710 + 711 711 + ```javascript 712 712 + // Get blobs associated with this record 713 713 + const associatedBlobs = this.sql 714 714 + .exec('SELECT blobCid FROM record_blob WHERE recordUri = ?', uri) 715 715 + .toArray(); 716 716 + 717 717 + // Remove associations for this record 718 718 + this.sql.exec('DELETE FROM record_blob WHERE recordUri = ?', uri); 719 719 + 720 720 + // Check each blob for orphan status and delete if unreferenced 721 721 + for (const { blobCid } of associatedBlobs) { 722 722 + const stillReferenced = this.sql 723 723 + .exec('SELECT 1 FROM record_blob WHERE blobCid = ? LIMIT 1', blobCid) 724 724 + .toArray(); 725 725 + 726 726 + if (stillReferenced.length === 0) { 727 727 + // Blob is orphaned, delete from R2 and database 728 728 + const did = await this.getDid(); 729 729 + await this.env.BLOBS.delete(`${did}/${blobCid}`); 730 730 + this.sql.exec('DELETE FROM blob WHERE cid = ?', blobCid); 731 731 + } 732 732 + } 733 733 + ``` 734 734 + 735 735 + **Step 2: Deploy and test** 736 736 + 737 737 + Test by creating a post with an image, then deleting it: 738 738 + 739 739 + ```bash 740 740 + # Delete the post 741 741 + curl -X POST -H "Authorization: Bearer $TOKEN" \ 742 742 + -H "Content-Type: application/json" \ 743 743 + https://your-pds.workers.dev/xrpc/com.atproto.repo.deleteRecord \ 744 744 + -d '{ 745 745 + "repo": "did:plc:xxx", 746 746 + "collection": "app.bsky.feed.post", 747 747 + "rkey": "<rkey>" 748 748 + }' 749 749 + 750 750 + # Verify blob is gone 751 751 + curl "https://your-pds.workers.dev/xrpc/com.atproto.sync.listBlobs?did=did:plc:xxx" 752 752 + ``` 753 753 + 754 754 + **Step 3: Commit** 755 755 + 756 756 + ```bash 757 757 + git add src/pds.js 758 758 + git commit -m "feat: cleanup orphaned blobs on record deletion" 759 759 + ``` 760 760 + 761 761 + --- 762 762 + 763 763 + ## Task 10: Implement Orphan Cleanup Alarm 764 764 + 765 765 + **Files:** 766 766 + - Modify: `src/pds.js` (add alarm handler and scheduling) 767 767 + 768 768 + **Step 1: Add alarm scheduling in initIdentity** 769 769 + 770 770 + In the `initIdentity` method (or after successful init), add: 771 771 + 772 772 + ```javascript 773 773 + // Schedule blob cleanup alarm (runs daily) 774 774 + const currentAlarm = await this.state.storage.getAlarm(); 775 775 + if (!currentAlarm) { 776 776 + await this.state.storage.setAlarm(Date.now() + 24 * 60 * 60 * 1000); 777 777 + } 778 778 + ``` 779 779 + 780 780 + **Step 2: Add alarm handler to PersonalDataServer class** 781 781 + 782 782 + ```javascript 783 783 + async alarm() { 784 784 + await this.cleanupOrphanedBlobs(); 785 785 + // Reschedule for next day 786 786 + await this.state.storage.setAlarm(Date.now() + 24 * 60 * 60 * 1000); 787 787 + } 788 788 + 789 789 + async cleanupOrphanedBlobs() { 790 790 + const did = await this.getDid(); 791 791 + if (!did) return; 792 792 + 793 793 + // Find orphans: blobs not in record_blob, older than 24h 794 794 + const cutoff = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(); 795 795 + 796 796 + const orphans = this.sql 797 797 + .exec( 798 798 + `SELECT b.cid FROM blob b 799 799 + LEFT JOIN record_blob rb ON b.cid = rb.blobCid 800 800 + WHERE rb.blobCid IS NULL AND b.createdAt < ?`, 801 801 + cutoff, 802 802 + ) 803 803 + .toArray(); 804 804 + 805 805 + for (const { cid } of orphans) { 806 806 + await this.env.BLOBS.delete(`${did}/${cid}`); 807 807 + this.sql.exec('DELETE FROM blob WHERE cid = ?', cid); 808 808 + } 809 809 + 810 810 + if (orphans.length > 0) { 811 811 + console.log(`Cleaned up ${orphans.length} orphaned blobs`); 812 812 + } 813 813 + } 814 814 + ``` 815 815 + 816 816 + **Step 3: Deploy** 817 817 + 818 818 + Run: `npx wrangler deploy` 819 819 + 820 820 + **Step 4: Commit** 821 821 + 822 822 + ```bash 823 823 + git add src/pds.js 824 824 + git commit -m "feat: add DO alarm for orphaned blob cleanup" 825 825 + ``` 826 826 + 827 827 + --- 828 828 + 829 829 + ## Task 11: Update README 830 830 + 831 831 + **Files:** 832 832 + - Modify: `README.md` 833 833 + 834 834 + **Step 1: Update feature checklist** 835 835 + 836 836 + Change: 837 837 + ```markdown 838 838 + - [ ] Blob storage (uploadBlob, getBlob, listBlobs) 839 839 + ``` 840 840 + 841 841 + To: 842 842 + ```markdown 843 843 + - [x] Blob storage (uploadBlob, getBlob, listBlobs) 844 844 + ``` 845 845 + 846 846 + **Step 2: Add blob configuration section** 847 847 + 848 848 + Add under configuration: 849 849 + 850 850 + ```markdown 851 851 + ### Blob Storage 852 852 + 853 853 + Blobs (images, videos) are stored in Cloudflare R2: 854 854 + 855 855 + 1. Create an R2 bucket: `npx wrangler r2 bucket create pds-blobs` 856 856 + 2. The binding is already configured in `wrangler.toml` 857 857 + 858 858 + Supported formats: JPEG, PNG, GIF, WebP, MP4 859 859 + Max size: 50MB 860 860 + Orphaned blobs are automatically cleaned up after 24 hours. 861 861 + ``` 862 862 + 863 863 + **Step 3: Commit** 864 864 + 865 865 + ```bash 866 866 + git add README.md 867 867 + git commit -m "docs: update README with blob storage feature" 868 868 + ``` 869 869 + 870 870 + --- 871 871 + 872 872 + ## Summary 873 873 + 874 874 + | Task | Description | Files Modified | 875 875 + |------|-------------|----------------| 876 876 + | 1 | Add R2 bucket binding | `wrangler.toml` | 877 877 + | 2 | Add blob database schema | `src/pds.js` | 878 878 + | 3 | Implement MIME sniffing | `src/pds.js`, `test/pds.test.js` | 879 879 + | 4 | Implement blob ref detection | `src/pds.js`, `test/pds.test.js` | 880 880 + | 5 | Implement uploadBlob endpoint | `src/pds.js` | 881 881 + | 6 | Implement getBlob endpoint | `src/pds.js` | 882 882 + | 7 | Implement listBlobs endpoint | `src/pds.js` | 883 883 + | 8 | Integrate blob association | `src/pds.js` | 884 884 + | 9 | Cleanup blobs on delete | `src/pds.js` | 885 885 + | 10 | Add orphan cleanup alarm | `src/pds.js` | 886 886 + | 11 | Update README | `README.md` | 887 887 + 888 888 + **Estimated additions:** ~250 lines to `src/pds.js`, ~60 lines to `test/pds.test.js`

+2 -1

package.json

··· 4 4 "private": true, 5 5 "type": "module", 6 6 "scripts": { 7 7 - "dev": "wrangler dev", 7 7 + "dev": "wrangler dev --persist-to .wrangler/state", 8 8 + "dev:remote": "wrangler dev --remote", 8 9 "deploy": "wrangler deploy", 9 10 "test": "node --test test/*.test.js", 10 11 "test:e2e": "./test/e2e.sh",

+440 -15

src/pds.js

··· 28 28 return Response.json({ error, message }, { status }); 29 29 } 30 30 31 31 + // === MIME TYPE SNIFFING === 32 32 + // Detect file type from magic bytes (first 12 bytes) 33 33 + // Reference: https://en.wikipedia.org/wiki/List_of_file_signatures 34 34 + 35 35 + /** 36 36 + * Sniff MIME type from file magic bytes 37 37 + * @param {Uint8Array|ArrayBuffer} bytes - File bytes (only first 12 needed) 38 38 + * @returns {string|null} Detected MIME type or null if unknown 39 39 + */ 40 40 + export function sniffMimeType(bytes) { 41 41 + const arr = new Uint8Array(bytes.slice(0, 12)); 42 42 + 43 43 + // JPEG: FF D8 FF 44 44 + if (arr[0] === 0xff && arr[1] === 0xd8 && arr[2] === 0xff) { 45 45 + return 'image/jpeg'; 46 46 + } 47 47 + 48 48 + // PNG: 89 50 4E 47 0D 0A 1A 0A 49 49 + if ( 50 50 + arr[0] === 0x89 && 51 51 + arr[1] === 0x50 && 52 52 + arr[2] === 0x4e && 53 53 + arr[3] === 0x47 && 54 54 + arr[4] === 0x0d && 55 55 + arr[5] === 0x0a && 56 56 + arr[6] === 0x1a && 57 57 + arr[7] === 0x0a 58 58 + ) { 59 59 + return 'image/png'; 60 60 + } 61 61 + 62 62 + // GIF: 47 49 46 38 (GIF8) 63 63 + if ( 64 64 + arr[0] === 0x47 && 65 65 + arr[1] === 0x49 && 66 66 + arr[2] === 0x46 && 67 67 + arr[3] === 0x38 68 68 + ) { 69 69 + return 'image/gif'; 70 70 + } 71 71 + 72 72 + // WebP: RIFF....WEBP 73 73 + if ( 74 74 + arr[0] === 0x52 && 75 75 + arr[1] === 0x49 && 76 76 + arr[2] === 0x46 && 77 77 + arr[3] === 0x46 && 78 78 + arr[8] === 0x57 && 79 79 + arr[9] === 0x45 && 80 80 + arr[10] === 0x42 && 81 81 + arr[11] === 0x50 82 82 + ) { 83 83 + return 'image/webp'; 84 84 + } 85 85 + 86 86 + // ISOBMFF container: ....ftyp at byte 4 (MP4, AVIF, HEIC, etc.) 87 87 + if ( 88 88 + arr[4] === 0x66 && 89 89 + arr[5] === 0x74 && 90 90 + arr[6] === 0x79 && 91 91 + arr[7] === 0x70 92 92 + ) { 93 93 + // Check brand code at bytes 8-11 94 94 + const brand = String.fromCharCode(arr[8], arr[9], arr[10], arr[11]); 95 95 + if (brand === 'avif') { 96 96 + return 'image/avif'; 97 97 + } 98 98 + if (brand === 'heic' || brand === 'heix' || brand === 'mif1') { 99 99 + return 'image/heic'; 100 100 + } 101 101 + return 'video/mp4'; 102 102 + } 103 103 + 104 104 + return null; 105 105 + } 106 106 + 107 107 + // === BLOB REF DETECTION === 108 108 + // Recursively find blob references in records 109 109 + 110 110 + /** 111 111 + * Find all blob CID references in a record 112 112 + * @param {*} obj - Record value to scan 113 113 + * @param {string[]} refs - Accumulator array (internal) 114 114 + * @returns {string[]} Array of blob CID strings 115 115 + */ 116 116 + export function findBlobRefs(obj, refs = []) { 117 117 + if (!obj || typeof obj !== 'object') { 118 118 + return refs; 119 119 + } 120 120 + 121 121 + // Check if this object is a blob ref 122 122 + if (obj.$type === 'blob' && obj.ref?.$link) { 123 123 + refs.push(obj.ref.$link); 124 124 + } 125 125 + 126 126 + // Recurse into arrays and objects 127 127 + if (Array.isArray(obj)) { 128 128 + for (const item of obj) { 129 129 + findBlobRefs(item, refs); 130 130 + } 131 131 + } else { 132 132 + for (const value of Object.values(obj)) { 133 133 + findBlobRefs(value, refs); 134 134 + } 135 135 + } 136 136 + 137 137 + return refs; 138 138 + } 139 139 + 31 140 // === CRAWLER NOTIFICATION === 32 141 // Notify relays to come crawl us after writes (like official PDS) 33 142 let lastCrawlNotify = 0; ··· 49 158 method: 'POST', 50 159 headers: { 'Content-Type': 'application/json' }, 51 160 body: JSON.stringify({ hostname }), 52 52 - }).catch((err) => { 53 53 - console.log('Failed to notify relay:', err.message); 161 161 + }).catch(() => { 162 162 + // Silently ignore relay notification failures 54 163 }); 55 164 } 56 165 ··· 286 395 } 287 396 288 397 // === CID GENERATION === 289 289 - // dag-cbor (0x71) + sha-256 (0x12) + 32 bytes 398 398 + // CID codec constants 399 399 + const CODEC_DAG_CBOR = 0x71; 400 400 + const CODEC_RAW = 0x55; 290 401 291 402 /** 292 292 - * Create a CIDv1 (dag-cbor + sha-256) from raw bytes 403 403 + * Create a CIDv1 with SHA-256 hash 293 404 * @param {Uint8Array} bytes - Content to hash 405 405 + * @param {number} codec - Codec identifier (0x71 for dag-cbor, 0x55 for raw) 294 406 * @returns {Promise<Uint8Array>} CID bytes (36 bytes: version + codec + multihash) 295 407 */ 296 296 - export async function createCid(bytes) { 408 408 + async function createCidWithCodec(bytes, codec) { 297 409 const hash = await crypto.subtle.digest('SHA-256', bytes); 298 410 const hashBytes = new Uint8Array(hash); 299 411 300 300 - // CIDv1: version(1) + codec(dag-cbor=0x71) + multihash(sha256) 412 412 + // CIDv1: version(1) + codec + multihash(sha256) 301 413 // Multihash: hash-type(0x12) + length(0x20=32) + digest 302 414 const cid = new Uint8Array(2 + 2 + 32); 303 415 cid[0] = 0x01; // CIDv1 304 304 - cid[1] = 0x71; // dag-cbor codec 416 416 + cid[1] = codec; 305 417 cid[2] = 0x12; // sha-256 306 418 cid[3] = 0x20; // 32 bytes 307 419 cid.set(hashBytes, 4); 308 420 309 421 return cid; 422 422 + } 423 423 + 424 424 + /** 425 425 + * Create CID for DAG-CBOR encoded data (records, commits) 426 426 + * @param {Uint8Array} bytes - DAG-CBOR encoded content 427 427 + * @returns {Promise<Uint8Array>} CID bytes 428 428 + */ 429 429 + export async function createCid(bytes) { 430 430 + return createCidWithCodec(bytes, CODEC_DAG_CBOR); 431 431 + } 432 432 + 433 433 + /** 434 434 + * Create CID for raw blob data (images, videos) 435 435 + * @param {Uint8Array} bytes - Raw binary content 436 436 + * @returns {Promise<Uint8Array>} CID bytes 437 437 + */ 438 438 + export async function createBlobCid(bytes) { 439 439 + return createCidWithCodec(bytes, CODEC_RAW); 310 440 } 311 441 312 442 /** ··· 1134 1264 '/xrpc/com.atproto.repo.listRecords': { 1135 1265 handler: (pds, _req, url) => pds.handleListRecords(url), 1136 1266 }, 1267 1267 + '/xrpc/com.atproto.repo.uploadBlob': { 1268 1268 + method: 'POST', 1269 1269 + handler: (pds, req, _url) => pds.handleUploadBlob(req), 1270 1270 + }, 1137 1271 '/xrpc/com.atproto.sync.getLatestCommit': { 1138 1272 handler: (pds, _req, _url) => pds.handleGetLatestCommit(), 1139 1273 }, ··· 1145 1279 }, 1146 1280 '/xrpc/com.atproto.sync.getRecord': { 1147 1281 handler: (pds, _req, url) => pds.handleSyncGetRecord(url), 1282 1282 + }, 1283 1283 + '/xrpc/com.atproto.sync.getBlob': { 1284 1284 + handler: (pds, _req, url) => pds.handleGetBlob(url), 1285 1285 + }, 1286 1286 + '/xrpc/com.atproto.sync.listBlobs': { 1287 1287 + handler: (pds, _req, url) => pds.handleListBlobs(url), 1148 1288 }, 1149 1289 '/xrpc/com.atproto.sync.subscribeRepos': { 1150 1290 handler: (pds, req, url) => pds.handleSubscribeRepos(req, url), ··· 1186 1326 evt BLOB NOT NULL 1187 1327 ); 1188 1328 1329 1329 + CREATE TABLE IF NOT EXISTS blob ( 1330 1330 + cid TEXT PRIMARY KEY, 1331 1331 + mimeType TEXT NOT NULL, 1332 1332 + size INTEGER NOT NULL, 1333 1333 + createdAt TEXT NOT NULL 1334 1334 + ); 1335 1335 + 1336 1336 + CREATE TABLE IF NOT EXISTS record_blob ( 1337 1337 + blobCid TEXT NOT NULL, 1338 1338 + recordUri TEXT NOT NULL, 1339 1339 + PRIMARY KEY (blobCid, recordUri) 1340 1340 + ); 1341 1341 + 1342 1342 + CREATE INDEX IF NOT EXISTS idx_record_blob_uri ON record_blob(recordUri); 1343 1343 + 1189 1344 CREATE INDEX IF NOT EXISTS idx_records_collection ON records(collection, rkey); 1190 1345 `); 1191 1346 } ··· 1196 1351 if (handle) { 1197 1352 await this.state.storage.put('handle', handle); 1198 1353 } 1354 1354 + 1355 1355 + // Schedule blob cleanup alarm (runs daily) 1356 1356 + const currentAlarm = await this.state.storage.getAlarm(); 1357 1357 + if (!currentAlarm) { 1358 1358 + await this.state.storage.setAlarm(Date.now() + 24 * 60 * 60 * 1000); 1359 1359 + } 1199 1360 } 1200 1361 1201 1362 async getDid() { ··· 1279 1440 recordBytes, 1280 1441 ); 1281 1442 1443 1443 + // Associate blobs with this record (delete old associations first for updates) 1444 1444 + this.sql.exec('DELETE FROM record_blob WHERE recordUri = ?', uri); 1445 1445 + 1446 1446 + const blobRefs = findBlobRefs(record); 1447 1447 + for (const blobCid of blobRefs) { 1448 1448 + // Verify blob exists 1449 1449 + const blobExists = this.sql 1450 1450 + .exec('SELECT cid FROM blob WHERE cid = ?', blobCid) 1451 1451 + .toArray(); 1452 1452 + 1453 1453 + if (blobExists.length === 0) { 1454 1454 + throw new Error(`BlobNotFound: ${blobCid}`); 1455 1455 + } 1456 1456 + 1457 1457 + // Create association 1458 1458 + this.sql.exec( 1459 1459 + 'INSERT INTO record_blob (blobCid, recordUri) VALUES (?, ?)', 1460 1460 + blobCid, 1461 1461 + uri, 1462 1462 + ); 1463 1463 + } 1464 1464 + 1282 1465 // Rebuild MST 1283 1466 const mst = new MST(this.sql); 1284 1467 const dataRoot = await mst.computeRoot(); ··· 1379 1562 body: JSON.stringify({ ...row, evt: evtArray }), 1380 1563 }), 1381 1564 ) 1382 1382 - .then((r) => r.json()) 1383 1383 - .then((r) => console.log('forward result:', r)) 1384 1384 - .catch((e) => console.log('forward error:', e)); 1565 1565 + .catch(() => {}); // Ignore forward errors 1385 1566 } 1386 1567 } 1387 1568 ··· 1405 1586 // Delete from records table 1406 1587 this.sql.exec(`DELETE FROM records WHERE uri = ?`, uri); 1407 1588 1589 1589 + // Get blobs associated with this record 1590 1590 + const associatedBlobs = this.sql 1591 1591 + .exec('SELECT blobCid FROM record_blob WHERE recordUri = ?', uri) 1592 1592 + .toArray(); 1593 1593 + 1594 1594 + // Remove associations for this record 1595 1595 + this.sql.exec('DELETE FROM record_blob WHERE recordUri = ?', uri); 1596 1596 + 1597 1597 + // Check each blob for orphan status and delete if unreferenced 1598 1598 + for (const { blobCid } of associatedBlobs) { 1599 1599 + const stillReferenced = this.sql 1600 1600 + .exec('SELECT 1 FROM record_blob WHERE blobCid = ? LIMIT 1', blobCid) 1601 1601 + .toArray(); 1602 1602 + 1603 1603 + if (stillReferenced.length === 0) { 1604 1604 + // Blob is orphaned, delete from R2 and database 1605 1605 + await this.env.BLOBS.delete(`${did}/${blobCid}`); 1606 1606 + this.sql.exec('DELETE FROM blob WHERE cid = ?', blobCid); 1607 1607 + } 1608 1608 + } 1609 1609 + 1408 1610 // Rebuild MST 1409 1611 const mst = new MST(this.sql); 1410 1612 const dataRoot = await mst.computeRoot(); ··· 1496 1698 body: JSON.stringify({ ...row, evt: evtArray }), 1497 1699 }), 1498 1700 ) 1499 1499 - .catch((e) => console.log('forward error:', e)); 1701 1701 + .catch(() => {}); // Ignore forward errors 1500 1702 } 1501 1703 } 1502 1704 ··· 1602 1804 async handleForwardEvent(request) { 1603 1805 const evt = await request.json(); 1604 1806 const numSockets = [...this.state.getWebSockets()].length; 1605 1605 - console.log( 1606 1606 - `forward-event: received event seq=${evt.seq}, ${numSockets} connected sockets`, 1607 1607 - ); 1608 1807 this.broadcastEvent({ 1609 1808 seq: evt.seq, 1610 1809 did: evt.did, ··· 2287 2486 }); 2288 2487 } 2289 2488 2489 2489 + async handleUploadBlob(request) { 2490 2490 + // Require auth 2491 2491 + const authHeader = request.headers.get('Authorization'); 2492 2492 + if (!authHeader || !authHeader.startsWith('Bearer ')) { 2493 2493 + return errorResponse( 2494 2494 + 'AuthRequired', 2495 2495 + 'Missing or invalid authorization header', 2496 2496 + 401, 2497 2497 + ); 2498 2498 + } 2499 2499 + 2500 2500 + const token = authHeader.slice(7); 2501 2501 + const jwtSecret = this.env?.JWT_SECRET; 2502 2502 + if (!jwtSecret) { 2503 2503 + return errorResponse( 2504 2504 + 'InternalServerError', 2505 2505 + 'Server not configured for authentication', 2506 2506 + 500, 2507 2507 + ); 2508 2508 + } 2509 2509 + 2510 2510 + try { 2511 2511 + await verifyAccessJwt(token, jwtSecret); 2512 2512 + } catch (err) { 2513 2513 + return errorResponse('InvalidToken', err.message, 401); 2514 2514 + } 2515 2515 + 2516 2516 + const did = await this.getDid(); 2517 2517 + if (!did) { 2518 2518 + return errorResponse('InvalidRequest', 'PDS not initialized', 400); 2519 2519 + } 2520 2520 + 2521 2521 + // Read body as ArrayBuffer 2522 2522 + const bodyBytes = await request.arrayBuffer(); 2523 2523 + const size = bodyBytes.byteLength; 2524 2524 + 2525 2525 + // Check size limits 2526 2526 + if (size === 0) { 2527 2527 + return errorResponse('InvalidRequest', 'Empty blobs are not allowed', 400); 2528 2528 + } 2529 2529 + const MAX_BLOB_SIZE = 50 * 1024 * 1024; 2530 2530 + if (size > MAX_BLOB_SIZE) { 2531 2531 + return errorResponse( 2532 2532 + 'BlobTooLarge', 2533 2533 + `Blob size ${size} exceeds maximum ${MAX_BLOB_SIZE}`, 2534 2534 + 400, 2535 2535 + ); 2536 2536 + } 2537 2537 + 2538 2538 + // Sniff MIME type, fall back to Content-Type header 2539 2539 + const contentType = 2540 2540 + request.headers.get('Content-Type') || 'application/octet-stream'; 2541 2541 + const sniffed = sniffMimeType(bodyBytes); 2542 2542 + const mimeType = sniffed || contentType; 2543 2543 + 2544 2544 + // Compute CID using raw codec for blobs 2545 2545 + const cid = await createBlobCid(new Uint8Array(bodyBytes)); 2546 2546 + const cidStr = cidToString(cid); 2547 2547 + 2548 2548 + // Upload to R2 (idempotent - same CID always has same content) 2549 2549 + const r2Key = `${did}/${cidStr}`; 2550 2550 + await this.env.BLOBS.put(r2Key, bodyBytes, { 2551 2551 + httpMetadata: { contentType: mimeType }, 2552 2552 + }); 2553 2553 + 2554 2554 + // Insert metadata (INSERT OR IGNORE handles concurrent uploads) 2555 2555 + const createdAt = new Date().toISOString(); 2556 2556 + this.sql.exec( 2557 2557 + 'INSERT OR IGNORE INTO blob (cid, mimeType, size, createdAt) VALUES (?, ?, ?, ?)', 2558 2558 + cidStr, 2559 2559 + mimeType, 2560 2560 + size, 2561 2561 + createdAt, 2562 2562 + ); 2563 2563 + 2564 2564 + // Return BlobRef 2565 2565 + return Response.json({ 2566 2566 + blob: { 2567 2567 + $type: 'blob', 2568 2568 + ref: { $link: cidStr }, 2569 2569 + mimeType, 2570 2570 + size, 2571 2571 + }, 2572 2572 + }); 2573 2573 + } 2574 2574 + 2575 2575 + async handleGetBlob(url) { 2576 2576 + const did = url.searchParams.get('did'); 2577 2577 + const cid = url.searchParams.get('cid'); 2578 2578 + 2579 2579 + if (!did || !cid) { 2580 2580 + return errorResponse('InvalidRequest', 'missing did or cid parameter', 400); 2581 2581 + } 2582 2582 + 2583 2583 + // Validate CID format (CIDv1 base32lower: starts with 'b', 59 chars total) 2584 2584 + if (!/^b[a-z2-7]{58}$/.test(cid)) { 2585 2585 + return errorResponse('InvalidRequest', 'invalid CID format', 400); 2586 2586 + } 2587 2587 + 2588 2588 + // Verify DID matches this DO 2589 2589 + const myDid = await this.getDid(); 2590 2590 + if (did !== myDid) { 2591 2591 + return errorResponse('InvalidRequest', 'DID does not match this repo', 400); 2592 2592 + } 2593 2593 + 2594 2594 + // Look up blob metadata 2595 2595 + const rows = this.sql 2596 2596 + .exec('SELECT mimeType, size FROM blob WHERE cid = ?', cid) 2597 2597 + .toArray(); 2598 2598 + 2599 2599 + if (rows.length === 0) { 2600 2600 + return errorResponse('BlobNotFound', 'blob not found', 404); 2601 2601 + } 2602 2602 + 2603 2603 + const { mimeType, size } = rows[0]; 2604 2604 + 2605 2605 + // Fetch from R2 2606 2606 + const r2Key = `${did}/${cid}`; 2607 2607 + const object = await this.env.BLOBS.get(r2Key); 2608 2608 + 2609 2609 + if (!object) { 2610 2610 + return errorResponse('BlobNotFound', 'blob not found in storage', 404); 2611 2611 + } 2612 2612 + 2613 2613 + // Return blob with security headers 2614 2614 + return new Response(object.body, { 2615 2615 + headers: { 2616 2616 + 'Content-Type': mimeType, 2617 2617 + 'Content-Length': String(size), 2618 2618 + 'X-Content-Type-Options': 'nosniff', 2619 2619 + 'Content-Security-Policy': "default-src 'none'; sandbox", 2620 2620 + 'Cache-Control': 'public, max-age=31536000, immutable', 2621 2621 + }, 2622 2622 + }); 2623 2623 + } 2624 2624 + 2625 2625 + async handleListBlobs(url) { 2626 2626 + const did = url.searchParams.get('did'); 2627 2627 + const cursor = url.searchParams.get('cursor'); 2628 2628 + const limit = Math.min(Number(url.searchParams.get('limit')) || 500, 1000); 2629 2629 + 2630 2630 + if (!did) { 2631 2631 + return errorResponse('InvalidRequest', 'missing did parameter', 400); 2632 2632 + } 2633 2633 + 2634 2634 + // Verify DID matches this DO 2635 2635 + const myDid = await this.getDid(); 2636 2636 + if (did !== myDid) { 2637 2637 + return errorResponse('InvalidRequest', 'DID does not match this repo', 400); 2638 2638 + } 2639 2639 + 2640 2640 + // Query blobs with pagination (cursor is createdAt::cid for uniqueness) 2641 2641 + let query = 'SELECT cid, createdAt FROM blob'; 2642 2642 + const params = []; 2643 2643 + 2644 2644 + if (cursor) { 2645 2645 + const [cursorTime, cursorCid] = cursor.split('::'); 2646 2646 + query += ' WHERE (createdAt > ? OR (createdAt = ? AND cid > ?))'; 2647 2647 + params.push(cursorTime, cursorTime, cursorCid); 2648 2648 + } 2649 2649 + 2650 2650 + query += ' ORDER BY createdAt ASC, cid ASC LIMIT ?'; 2651 2651 + params.push(limit + 1); // Fetch one extra to detect if there's more 2652 2652 + 2653 2653 + const rows = this.sql.exec(query, ...params).toArray(); 2654 2654 + 2655 2655 + // Determine if there's a next page 2656 2656 + let nextCursor = null; 2657 2657 + if (rows.length > limit) { 2658 2658 + rows.pop(); // Remove the extra row 2659 2659 + const last = rows[rows.length - 1]; 2660 2660 + nextCursor = `${last.createdAt}::${last.cid}`; 2661 2661 + } 2662 2662 + 2663 2663 + return Response.json({ 2664 2664 + cids: rows.map((r) => r.cid), 2665 2665 + cursor: nextCursor, 2666 2666 + }); 2667 2667 + } 2668 2668 + 2290 2669 handleSubscribeRepos(request, url) { 2291 2670 const upgradeHeader = request.headers.get('Upgrade'); 2292 2671 if (upgradeHeader !== 'websocket') { ··· 2332 2711 2333 2712 return errorResponse('NotFound', 'not found', 404); 2334 2713 } 2714 2714 + 2715 2715 + async alarm() { 2716 2716 + await this.cleanupOrphanedBlobs(); 2717 2717 + // Reschedule for next day 2718 2718 + await this.state.storage.setAlarm(Date.now() + 24 * 60 * 60 * 1000); 2719 2719 + } 2720 2720 + 2721 2721 + async cleanupOrphanedBlobs() { 2722 2722 + const did = await this.getDid(); 2723 2723 + if (!did) return; 2724 2724 + 2725 2725 + // Find orphans: blobs not in record_blob, older than 24h 2726 2726 + const cutoff = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(); 2727 2727 + 2728 2728 + const orphans = this.sql 2729 2729 + .exec( 2730 2730 + `SELECT b.cid FROM blob b 2731 2731 + LEFT JOIN record_blob rb ON b.cid = rb.blobCid 2732 2732 + WHERE rb.blobCid IS NULL AND b.createdAt < ?`, 2733 2733 + cutoff, 2734 2734 + ) 2735 2735 + .toArray(); 2736 2736 + 2737 2737 + for (const { cid } of orphans) { 2738 2738 + await this.env.BLOBS.delete(`${did}/${cid}`); 2739 2739 + this.sql.exec('DELETE FROM blob WHERE cid = ?', cid); 2740 2740 + } 2741 2741 + 2742 2742 + } 2335 2743 } 2336 2744 2337 2745 const corsHeaders = { ··· 2430 2838 ), 2431 2839 }; 2432 2840 } 2841 2841 + } 2842 2842 + 2843 2843 + async function handleAuthenticatedBlobUpload(request, env) { 2844 2844 + const auth = await requireAuth(request, env); 2845 2845 + if (auth.error) return auth.error; 2846 2846 + 2847 2847 + // Route to the user's DO based on their DID from the token 2848 2848 + const id = env.PDS.idFromName(auth.did); 2849 2849 + const pds = env.PDS.get(id); 2850 2850 + return pds.fetch(request); 2433 2851 } 2434 2852 2435 2853 async function handleAuthenticatedRepoWrite(request, env) { ··· 2626 3044 url.pathname === '/xrpc/com.atproto.sync.getLatestCommit' || 2627 3045 url.pathname === '/xrpc/com.atproto.sync.getRepoStatus' || 2628 3046 url.pathname === '/xrpc/com.atproto.sync.getRepo' || 2629 2629 - url.pathname === '/xrpc/com.atproto.sync.getRecord' 3047 3047 + url.pathname === '/xrpc/com.atproto.sync.getRecord' || 3048 3048 + url.pathname === '/xrpc/com.atproto.sync.getBlob' || 3049 3049 + url.pathname === '/xrpc/com.atproto.sync.listBlobs' 2630 3050 ) { 2631 3051 const did = url.searchParams.get('did'); 2632 3052 if (!did) { ··· 2635 3055 const id = env.PDS.idFromName(did); 2636 3056 const pds = env.PDS.get(id); 2637 3057 return pds.fetch(request); 3058 3058 + } 3059 3059 + 3060 3060 + // Blob upload endpoint (binary body, uses DID from token) 3061 3061 + if (url.pathname === '/xrpc/com.atproto.repo.uploadBlob') { 3062 3062 + return handleAuthenticatedBlobUpload(request, env); 2638 3063 } 2639 3064 2640 3065 // Authenticated repo write endpoints

+84 -3

test/e2e.sh

··· 3 3 set -e 4 4 5 5 BASE="http://localhost:8787" 6 6 - DID="did:plc:c6vxslynzebnlk5kw2orx37o" 6 6 + # Generate unique test DID (or use env var for consistency) 7 7 + DID="${TEST_DID:-did:plc:test$(openssl rand -hex 8)}" 7 8 8 9 # Helper for colored output 9 10 pass() { echo "✓ $1"; } ··· 23 24 } 24 25 trap cleanup EXIT 25 26 26 26 - # Start wrangler dev 27 27 + # Start wrangler dev with local R2 persistence 27 28 echo "Starting wrangler dev..." 28 28 - npx wrangler dev --port 8787 >/dev/null 2>&1 & 29 29 + npx wrangler dev --port 8787 --persist-to .wrangler/state >/dev/null 2>&1 & 29 30 WRANGLER_PID=$! 30 31 31 32 # Wait for server to be ready ··· 202 203 # Non-existent record returns 404 203 204 STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$BASE/xrpc/com.atproto.repo.getRecord?repo=$DID&collection=app.bsky.feed.post&rkey=nonexistent") 204 205 [ "$STATUS" = "400" ] || [ "$STATUS" = "404" ] && pass "Non-existent record error" || fail "Non-existent record should error" 206 206 + 207 207 + # Blob tests 208 208 + echo 209 209 + echo "Testing blob endpoints..." 210 210 + 211 211 + # Create a minimal valid PNG (1x1 transparent pixel) 212 212 + # PNG signature + IHDR + IDAT + IEND 213 213 + PNG_FILE=$(mktemp) 214 214 + printf '\x89PNG\r\n\x1a\n' > "$PNG_FILE" 215 215 + printf '\x00\x00\x00\rIHDR\x00\x00\x00\x01\x00\x00\x00\x01\x08\x06\x00\x00\x00\x1f\x15\xc4\x89' >> "$PNG_FILE" 216 216 + printf '\x00\x00\x00\nIDATx\x9cc\x00\x01\x00\x00\x05\x00\x01\r\n-\xb4' >> "$PNG_FILE" 217 217 + printf '\x00\x00\x00\x00IEND\xaeB`\x82' >> "$PNG_FILE" 218 218 + 219 219 + # uploadBlob requires auth 220 220 + STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$BASE/xrpc/com.atproto.repo.uploadBlob" \ 221 221 + -H "Content-Type: image/png" \ 222 222 + --data-binary @"$PNG_FILE") 223 223 + [ "$STATUS" = "401" ] && pass "uploadBlob rejects without auth" || fail "uploadBlob should require auth" 224 224 + 225 225 + # uploadBlob works with auth 226 226 + BLOB_RESULT=$(curl -sf -X POST "$BASE/xrpc/com.atproto.repo.uploadBlob" \ 227 227 + -H "Authorization: Bearer $TOKEN" \ 228 228 + -H "Content-Type: image/png" \ 229 229 + --data-binary @"$PNG_FILE") 230 230 + BLOB_CID=$(echo "$BLOB_RESULT" | jq -r '.blob.ref."$link"') 231 231 + BLOB_MIME=$(echo "$BLOB_RESULT" | jq -r '.blob.mimeType') 232 232 + [ "$BLOB_CID" != "null" ] && [ -n "$BLOB_CID" ] && pass "uploadBlob returns CID" || fail "uploadBlob" 233 233 + [ "$BLOB_MIME" = "image/png" ] && pass "uploadBlob detects PNG mime type" || fail "uploadBlob mime detection" 234 234 + 235 235 + # listBlobs shows the uploaded blob 236 236 + curl -sf "$BASE/xrpc/com.atproto.sync.listBlobs?did=$DID" | 237 237 + jq -e ".cids | index(\"$BLOB_CID\")" >/dev/null && pass "listBlobs includes uploaded blob" || fail "listBlobs" 238 238 + 239 239 + # getBlob retrieves the blob 240 240 + BLOB_SIZE=$(curl -sf "$BASE/xrpc/com.atproto.sync.getBlob?did=$DID&cid=$BLOB_CID" | wc -c) 241 241 + [ "$BLOB_SIZE" -gt 0 ] && pass "getBlob retrieves blob data" || fail "getBlob" 242 242 + 243 243 + # getBlob returns correct headers 244 244 + BLOB_HEADERS=$(curl -sI "$BASE/xrpc/com.atproto.sync.getBlob?did=$DID&cid=$BLOB_CID") 245 245 + echo "$BLOB_HEADERS" | grep -qi "content-type: image/png" && pass "getBlob Content-Type header" || fail "getBlob Content-Type" 246 246 + echo "$BLOB_HEADERS" | grep -qi "x-content-type-options: nosniff" && pass "getBlob security headers" || fail "getBlob security headers" 247 247 + 248 248 + # getBlob rejects wrong DID 249 249 + STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$BASE/xrpc/com.atproto.sync.getBlob?did=did:plc:wrongdid&cid=$BLOB_CID") 250 250 + [ "$STATUS" = "400" ] && pass "getBlob rejects wrong DID" || fail "getBlob should reject wrong DID" 251 251 + 252 252 + # getBlob returns 400 for invalid CID format 253 253 + STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$BASE/xrpc/com.atproto.sync.getBlob?did=$DID&cid=invalid") 254 254 + [ "$STATUS" = "400" ] && pass "getBlob rejects invalid CID format" || fail "getBlob should reject invalid CID" 255 255 + 256 256 + # getBlob returns 404 for non-existent blob (valid format CID - 59 chars) 257 257 + STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$BASE/xrpc/com.atproto.sync.getBlob?did=$DID&cid=bafkreiaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") 258 258 + [ "$STATUS" = "404" ] && pass "getBlob 404 for missing blob" || fail "getBlob should 404" 259 259 + 260 260 + # Create a record with blob reference 261 261 + BLOB_POST=$(curl -sf -X POST "$BASE/xrpc/com.atproto.repo.createRecord" \ 262 262 + -H "Authorization: Bearer $TOKEN" \ 263 263 + -H "Content-Type: application/json" \ 264 264 + -d "{\"repo\":\"$DID\",\"collection\":\"app.bsky.feed.post\",\"record\":{\"text\":\"post with image\",\"createdAt\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"embed\":{\"\$type\":\"app.bsky.embed.images\",\"images\":[{\"image\":{\"\$type\":\"blob\",\"ref\":{\"\$link\":\"$BLOB_CID\"},\"mimeType\":\"image/png\",\"size\":$(wc -c < "$PNG_FILE")},\"alt\":\"test\"}]}}}") 265 265 + BLOB_POST_URI=$(echo "$BLOB_POST" | jq -r '.uri') 266 266 + BLOB_POST_RKEY=$(echo "$BLOB_POST_URI" | sed 's|.*/||') 267 267 + [ "$BLOB_POST_URI" != "null" ] && [ -n "$BLOB_POST_URI" ] && pass "createRecord with blob ref" || fail "createRecord with blob" 268 268 + 269 269 + # Blob still exists after record creation 270 270 + curl -sf "$BASE/xrpc/com.atproto.sync.listBlobs?did=$DID" | 271 271 + jq -e ".cids | index(\"$BLOB_CID\")" >/dev/null && pass "blob persists after record creation" || fail "blob should persist" 272 272 + 273 273 + # Delete the record with blob 274 274 + curl -sf -X POST "$BASE/xrpc/com.atproto.repo.deleteRecord" \ 275 275 + -H "Authorization: Bearer $TOKEN" \ 276 276 + -H "Content-Type: application/json" \ 277 277 + -d "{\"repo\":\"$DID\",\"collection\":\"app.bsky.feed.post\",\"rkey\":\"$BLOB_POST_RKEY\"}" >/dev/null && 278 278 + pass "deleteRecord with blob" || fail "deleteRecord with blob" 279 279 + 280 280 + # Blob should be cleaned up (orphaned) 281 281 + BLOB_COUNT=$(curl -sf "$BASE/xrpc/com.atproto.sync.listBlobs?did=$DID" | jq '.cids | length') 282 282 + [ "$BLOB_COUNT" = "0" ] && pass "orphaned blob cleaned up on delete" || fail "blob should be cleaned up" 283 283 + 284 284 + # Clean up temp file 285 285 + rm -f "$PNG_FILE" 205 286 206 287 # Cleanup: delete the test record 207 288 curl -sf -X POST "$BASE/xrpc/com.atproto.repo.deleteRecord" \

+145 -1

test/pds.test.js

··· 12 12 cidToString, 13 13 createAccessJwt, 14 14 createCid, 15 15 + createBlobCid, 15 16 createRefreshJwt, 16 17 createTid, 18 18 + findBlobRefs, 17 19 generateKeyPair, 18 20 getKeyDepth, 19 21 hexToBytes, 20 22 importPrivateKey, 21 23 sign, 24 24 + sniffMimeType, 22 25 varint, 23 26 verifyAccessJwt, 24 27 verifyRefreshJwt, ··· 127 130 }); 128 131 129 132 describe('CID Generation', () => { 130 130 - test('creates CIDv1 with dag-cbor codec', async () => { 133 133 + test('createCid uses dag-cbor codec', async () => { 131 134 const data = cborEncode({ test: 'data' }); 132 135 const cid = await createCid(data); 133 136 ··· 136 139 assert.strictEqual(cid[1], 0x71); // dag-cbor 137 140 assert.strictEqual(cid[2], 0x12); // sha-256 138 141 assert.strictEqual(cid[3], 0x20); // 32 bytes 142 142 + }); 143 143 + 144 144 + test('createBlobCid uses raw codec', async () => { 145 145 + const data = new Uint8Array([0xff, 0xd8, 0xff, 0xe0]); // JPEG magic bytes 146 146 + const cid = await createBlobCid(data); 147 147 + 148 148 + assert.strictEqual(cid.length, 36); 149 149 + assert.strictEqual(cid[0], 0x01); // CIDv1 150 150 + assert.strictEqual(cid[1], 0x55); // raw codec 151 151 + assert.strictEqual(cid[2], 0x12); // sha-256 152 152 + assert.strictEqual(cid[3], 0x20); // 32 bytes 153 153 + }); 154 154 + 155 155 + test('same bytes produce different CIDs with different codecs', async () => { 156 156 + const data = new Uint8Array([1, 2, 3, 4]); 157 157 + const dagCborCid = cidToString(await createCid(data)); 158 158 + const rawCid = cidToString(await createBlobCid(data)); 159 159 + 160 160 + assert.notStrictEqual(dagCborCid, rawCid); 139 161 }); 140 162 141 163 test('cidToString returns base32lower with b prefix', async () => { ··· 572 594 ); 573 595 }); 574 596 }); 597 597 + 598 598 + describe('MIME Type Sniffing', () => { 599 599 + test('detects JPEG', () => { 600 600 + const bytes = new Uint8Array([0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10]); 601 601 + assert.strictEqual(sniffMimeType(bytes), 'image/jpeg'); 602 602 + }); 603 603 + 604 604 + test('detects PNG', () => { 605 605 + const bytes = new Uint8Array([ 606 606 + 0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 607 607 + ]); 608 608 + assert.strictEqual(sniffMimeType(bytes), 'image/png'); 609 609 + }); 610 610 + 611 611 + test('detects GIF', () => { 612 612 + const bytes = new Uint8Array([0x47, 0x49, 0x46, 0x38, 0x39, 0x61]); 613 613 + assert.strictEqual(sniffMimeType(bytes), 'image/gif'); 614 614 + }); 615 615 + 616 616 + test('detects WebP', () => { 617 617 + const bytes = new Uint8Array([ 618 618 + 0x52, 0x49, 0x46, 0x46, // RIFF 619 619 + 0x00, 0x00, 0x00, 0x00, // size (ignored) 620 620 + 0x57, 0x45, 0x42, 0x50, // WEBP 621 621 + ]); 622 622 + assert.strictEqual(sniffMimeType(bytes), 'image/webp'); 623 623 + }); 624 624 + 625 625 + test('detects MP4', () => { 626 626 + const bytes = new Uint8Array([ 627 627 + 0x00, 0x00, 0x00, 0x18, // size 628 628 + 0x66, 0x74, 0x79, 0x70, // ftyp 629 629 + 0x69, 0x73, 0x6f, 0x6d, // isom brand 630 630 + ]); 631 631 + assert.strictEqual(sniffMimeType(bytes), 'video/mp4'); 632 632 + }); 633 633 + 634 634 + test('detects AVIF', () => { 635 635 + const bytes = new Uint8Array([ 636 636 + 0x00, 0x00, 0x00, 0x1c, // size 637 637 + 0x66, 0x74, 0x79, 0x70, // ftyp 638 638 + 0x61, 0x76, 0x69, 0x66, // avif brand 639 639 + ]); 640 640 + assert.strictEqual(sniffMimeType(bytes), 'image/avif'); 641 641 + }); 642 642 + 643 643 + test('detects HEIC', () => { 644 644 + const bytes = new Uint8Array([ 645 645 + 0x00, 0x00, 0x00, 0x18, // size 646 646 + 0x66, 0x74, 0x79, 0x70, // ftyp 647 647 + 0x68, 0x65, 0x69, 0x63, // heic brand 648 648 + ]); 649 649 + assert.strictEqual(sniffMimeType(bytes), 'image/heic'); 650 650 + }); 651 651 + 652 652 + test('returns null for unknown', () => { 653 653 + const bytes = new Uint8Array([0x00, 0x01, 0x02, 0x03]); 654 654 + assert.strictEqual(sniffMimeType(bytes), null); 655 655 + }); 656 656 + }); 657 657 + 658 658 + describe('Blob Ref Detection', () => { 659 659 + test('finds blob ref in simple object', () => { 660 660 + const record = { 661 661 + $type: 'app.bsky.feed.post', 662 662 + text: 'Hello', 663 663 + embed: { 664 664 + $type: 'app.bsky.embed.images', 665 665 + images: [ 666 666 + { 667 667 + image: { 668 668 + $type: 'blob', 669 669 + ref: { $link: 'bafkreiabc123' }, 670 670 + mimeType: 'image/jpeg', 671 671 + size: 1234, 672 672 + }, 673 673 + alt: 'test image', 674 674 + }, 675 675 + ], 676 676 + }, 677 677 + }; 678 678 + const refs = findBlobRefs(record); 679 679 + assert.deepStrictEqual(refs, ['bafkreiabc123']); 680 680 + }); 681 681 + 682 682 + test('finds multiple blob refs', () => { 683 683 + const record = { 684 684 + images: [ 685 685 + { 686 686 + image: { 687 687 + $type: 'blob', 688 688 + ref: { $link: 'cid1' }, 689 689 + mimeType: 'image/png', 690 690 + size: 100, 691 691 + }, 692 692 + }, 693 693 + { 694 694 + image: { 695 695 + $type: 'blob', 696 696 + ref: { $link: 'cid2' }, 697 697 + mimeType: 'image/png', 698 698 + size: 200, 699 699 + }, 700 700 + }, 701 701 + ], 702 702 + }; 703 703 + const refs = findBlobRefs(record); 704 704 + assert.deepStrictEqual(refs, ['cid1', 'cid2']); 705 705 + }); 706 706 + 707 707 + test('returns empty array when no blobs', () => { 708 708 + const record = { text: 'Hello world', count: 42 }; 709 709 + const refs = findBlobRefs(record); 710 710 + assert.deepStrictEqual(refs, []); 711 711 + }); 712 712 + 713 713 + test('handles null and primitives', () => { 714 714 + assert.deepStrictEqual(findBlobRefs(null), []); 715 715 + assert.deepStrictEqual(findBlobRefs('string'), []); 716 716 + assert.deepStrictEqual(findBlobRefs(42), []); 717 717 + }); 718 718 + });

+5 -1

wrangler.toml

··· 8 8 9 9 [[migrations]] 10 10 tag = "v1" 11 11 - new_sqlite_classes = ["PersonalDataServer"] 11 11 + new_sqlite_classes = [ "PersonalDataServer" ] 12 12 + 13 13 + [[r2_buckets]] 14 14 + binding = "BLOBS" 15 15 + bucket_name = "pds-blobs"