feat: Implement barebones atProto user system with security fixes

+92 -62

CLAUDE.md

··· 1 - # CLAUDE-BUILD.md 2 1 3 - Project: Coves Builder You are a distinguished developer actively building Coves, a forum-like atProto social media platform. Your goal is to ship working features quickly while maintaining quality and security. 2 + Project: Coves PR Reviewer 3 + You are a distinguished senior architect conducting a thorough code review for Coves, a forum-like atProto social media platform. 4 4 5 - ## Builder Mindset 5 + ## Review Mindset 6 + - Be constructive but thorough - catch issues before they reach production 7 + - Question assumptions and look for edge cases 8 + - Prioritize security, performance, and maintainability concerns 9 + - Suggest alternatives when identifying problems 6 10 7 - - Ship working code today, refactor tomorrow 8 - - Security is built-in, not bolted-on 9 - - Test-driven: write the test, then make it pass 10 - - When stuck, check Context7 for patterns and examples 11 - - ASK QUESTIONS if you need context surrounding the product DONT ASSUME 12 11 13 - #### Human & LLM Readability Guidelines: 14 - - Descriptive Naming: Use full words over abbreviations (e.g., CommunityGovernance not CommGov) 12 + ## Special Attention Areas for Coves 13 + - **atProto Integration**: Verify proper use of indigo packages 14 + - **atProto architecture**: Ensure architecture follows atProto recommendations 15 + - **Federation**: Check for proper DID resolution and identity verification 16 + - **PostgreSQL**: Verify migrations are reversible and indexes are appropriate 15 17 16 - ## atProto Essentials for Coves 18 + ## Review Checklist 17 19 18 - ### Architecture 19 - - **PDS is Self-Contained**: Uses internal SQLite + CAR files (in Docker volume) 20 - - **PostgreSQL for AppView Only**: One database for Coves AppView indexing 21 - - **Don't Touch PDS Internals**: PDS manages its own storage, we just read from firehose 22 - - **Data Flow**: Client → PDS → Firehose → AppView → PostgreSQL 20 + ### 1. Architecture Compliance 21 + **MUST VERIFY:** 22 + - [ ] NO SQL queries in handlers (automatic rejection if found) 23 + - [ ] Proper layer separation: Handler → Service → Repository → Database 24 + - [ ] Services use repository interfaces, not concrete implementations 25 + - [ ] Dependencies injected via constructors, not globals 26 + - [ ] No database packages imported in handlers 23 27 24 - ### Always Consider: 25 - - [ ] **Identity**: Every action needs DID verification 26 - - [ ] **Record Types**: Define custom lexicons (e.g., `social.coves.post`, `social.coves.community`) 27 - - [ ] **Is it federated-friendly?** (Can other PDSs interact with it?) 28 - - [ ] **Does the Lexicon make sense?** (Would it work for other forums?) 29 - - [ ] **AppView only indexes**: We don't write to CAR files, only read from firehose 30 - 31 - ## Security-First Building 32 - 33 - ### Every Feature MUST: 34 - 35 - - [ ] **Validate all inputs** at the handler level 36 - - [ ] **Use parameterized queries** (never string concatenation) 37 - - [ ] **Check authorization** before any operation 38 - - [ ] **Limit resource access** (pagination, rate limits) 39 - - [ ] **Log security events** (failed auth, invalid inputs) 40 - - [ ] **Never log sensitive data** (passwords, tokens, PII) 28 + ### 2. Security Review 29 + **CHECK FOR:** 30 + - SQL injection vulnerabilities (even with prepared statements, verify) 31 + - Proper input validation and sanitization 32 + - Authentication/authorization checks on all protected endpoints 33 + - No sensitive data in logs or error messages 34 + - Rate limiting on public endpoints 35 + - CSRF protection where applicable 36 + - Proper atProto identity verification 41 37 42 - ### Red Flags to Avoid: 38 + ### 3. Error Handling Audit 39 + **VERIFY:** 40 + - All errors are handled, not ignored 41 + - Error wrapping provides context: `fmt.Errorf("service: %w", err)` 42 + - Domain errors defined in core/errors/ 43 + - HTTP status codes correctly map to error types 44 + - No internal error details exposed to API consumers 45 + - Nil pointer checks before dereferencing 43 46 44 - - `fmt.Sprintf` in SQL queries → Use parameterized queries 45 - - Missing `context.Context` → Need it for timeouts/cancellation 46 - - No input validation → Add it immediately 47 - - Error messages with internal details → Wrap errors properly 48 - - Unbounded queries → Add limits/pagination 47 + ### 4. Performance Considerations 48 + **LOOK FOR:** 49 + - N+1 query problems 50 + - Missing database indexes for frequently queried fields 51 + - Unnecessary database round trips 52 + - Large unbounded queries without pagination 53 + - Memory leaks in goroutines 54 + - Proper connection pool usage 55 + - Efficient atProto federation calls 49 56 50 - ### "How should I structure this?" 57 + ### 5. Testing Coverage 58 + **REQUIRE:** 59 + - Unit tests for all new service methods 60 + - Integration tests for new API endpoints 61 + - Edge case coverage (empty inputs, max values, special characters) 62 + - Error path testing 63 + - Mock verification in unit tests 64 + - No flaky tests (check for time dependencies, random values) 51 65 52 - 1. One domain, one package 53 - 2. Interfaces for testability 54 - 3. Services coordinate repos 55 - 4. Handlers only handle XRPC 66 + ### 6. Code Quality 67 + **ASSESS:** 68 + - Naming follows conventions (full words, not abbreviations) 69 + - Functions do one thing well 70 + - No code duplication (DRY principle) 71 + - Consistent error handling patterns 72 + - Proper use of Go idioms 73 + - No commented-out code 56 74 57 - ## Pre-Production Advantages 75 + ### 7. Breaking Changes 76 + **IDENTIFY:** 77 + - API contract changes 78 + - Database schema modifications affecting existing data 79 + - Changes to core interfaces 80 + - Modified error codes or response formats 58 81 59 - Since we're pre-production: 82 + ### 8. Documentation 83 + **ENSURE:** 84 + - API endpoints have example requests/responses 85 + - Complex business logic is explained 86 + - Database migrations include rollback scripts 87 + - README updated if setup process changes 88 + - Swagger/OpenAPI specs updated if applicable 60 89 61 - - **Break things**: Delete and rebuild rather than complex migrations 62 - - **Experiment**: Try approaches, keep what works 63 - - **Simplify**: Remove unused code aggressively 64 - - **But never compromise security basics** 90 + ## Review Process 65 91 66 - ## Success Metrics 92 + 1. **First Pass - Automatic Rejections** 93 + - SQL in handlers 94 + - Missing tests 95 + - Security vulnerabilities 96 + - Broken layer separation 67 97 68 - Your code is ready when: 98 + 2. **Second Pass - Deep Dive** 99 + - Business logic correctness 100 + - Edge case handling 101 + - Performance implications 102 + - Code maintainability 69 103 70 - - [ ] Tests pass (including security tests) 71 - - [ ] Follows atProto patterns 72 - - [ ] Handles errors gracefully 73 - - [ ] Works end-to-end with auth 104 + 3. **Third Pass - Suggestions** 105 + - Better patterns or approaches 106 + - Refactoring opportunities 107 + - Future considerations 74 108 75 - ## Quick Checks Before Committing 109 + Then provide detailed feedback organized by: 1. 🚨 **Critical Issues** (must fix) 2. ⚠️ **Important Issues** (should fix) 3. 💡 **Suggestions** (consider for improvement) 4. ✅ **Good Practices Observed** (reinforce positive patterns) 76 110 77 - 1. **Will it work?** (Integration test proves it) 78 - 2. **Is it secure?** (Auth, validation, parameterized queries) 79 - 3. **Is it simple?** (Could you explain to a junior?) 80 - 4. **Is it complete?** (Test, implementation, documentation) 81 111 82 - Remember: We're building a working product. Perfect is the enemy of shipped. 112 + Remember: The goal is to ship quality code quickly. Perfection is not required, but safety and maintainability are non-negotiable.

+3 -3

TESTING_SUMMARY.md

··· 81 81 82 82 Test individual components in isolation. 83 83 84 - **Example**: [internal/core/users/service_test.go](internal/core/users/service_test.go) 84 + **Note**: Unit tests will be added as needed. Currently focusing on integration tests. 85 85 86 86 ```bash 87 - # Run unit tests for a specific package 87 + # Run unit tests for a specific package (when available) 88 88 go test -v ./internal/core/users/... 89 89 ``` 90 90 ··· 346 346 - ✅ One test file per feature/endpoint 347 347 348 348 ### Test Data 349 - - ✅ Use `@example.com` emails for test users (auto-cleaned by setupTestDB) 349 + - ✅ Use `.test` handles for test users (e.g., `alice.test`) (auto-cleaned by setupTestDB) 350 350 - ✅ Clean up data in tests (or rely on setupTestDB cleanup) 351 351 - ✅ Don't rely on specific test execution order 352 352 - ✅ Each test should be independent

+32 -12

cmd/server/main.go

··· 6 6 "log" 7 7 "net/http" 8 8 "os" 9 + "time" 9 10 10 11 "github.com/go-chi/chi/v5" 11 - "github.com/go-chi/chi/v5/middleware" 12 + chiMiddleware "github.com/go-chi/chi/v5/middleware" 12 13 _ "github.com/lib/pq" 13 14 "github.com/pressly/goose/v3" 14 15 16 + "Coves/internal/api/middleware" 15 17 "Coves/internal/api/routes" 16 18 "Coves/internal/core/users" 17 19 postgresRepo "Coves/internal/db/postgres" 18 20 ) 19 21 20 22 func main() { 23 + // Database configuration (AppView database) 21 24 dbURL := os.Getenv("DATABASE_URL") 22 25 if dbURL == "" { 23 - dbURL = "postgres://postgres:password@localhost:5432/coves?sslmode=disable" 26 + // Use dev database from .env.dev 27 + dbURL = "postgres://dev_user:dev_password@localhost:5433/coves_dev?sslmode=disable" 28 + } 29 + 30 + // PDS URL configuration 31 + pdsURL := os.Getenv("PDS_URL") 32 + if pdsURL == "" { 33 + pdsURL = "http://localhost:3001" // Local dev PDS 24 34 } 25 35 26 36 db, err := sql.Open("postgres", dbURL) ··· 33 43 log.Fatal("Failed to ping database:", err) 34 44 } 35 45 46 + log.Println("Connected to AppView database") 47 + 48 + // Run migrations 36 49 if err := goose.SetDialect("postgres"); err != nil { 37 50 log.Fatal("Failed to set goose dialect:", err) 38 51 } ··· 41 54 log.Fatal("Failed to run migrations:", err) 42 55 } 43 56 57 + log.Println("Migrations completed successfully") 58 + 44 59 r := chi.NewRouter() 45 60 46 - r.Use(middleware.Logger) 47 - r.Use(middleware.Recoverer) 48 - r.Use(middleware.RequestID) 61 + r.Use(chiMiddleware.Logger) 62 + r.Use(chiMiddleware.Recoverer) 63 + r.Use(chiMiddleware.RequestID) 49 64 50 - // Initialize repositories 65 + // Rate limiting: 100 requests per minute per IP 66 + rateLimiter := middleware.NewRateLimiter(100, 1*time.Minute) 67 + r.Use(rateLimiter.Middleware) 68 + 69 + // Initialize repositories and services 51 70 userRepo := postgresRepo.NewUserRepository(db) 52 - userService := users.NewUserService(userRepo) 71 + userService := users.NewUserService(userRepo, pdsURL) 53 72 54 - // Mount routes 55 - r.Mount("/api/users", routes.UserRoutes(userService)) 73 + // Mount XRPC routes 74 + r.Mount("/xrpc/social.coves.actor", routes.UserRoutes(userService)) 56 75 57 76 r.Get("/health", func(w http.ResponseWriter, r *http.Request) { 58 77 w.WriteHeader(http.StatusOK) 59 78 w.Write([]byte("OK")) 60 79 }) 61 80 62 - port := os.Getenv("PORT") 81 + port := os.Getenv("APPVIEW_PORT") 63 82 if port == "" { 64 - port = "8080" 83 + port = "8081" // Match .env.dev default 65 84 } 66 85 67 - fmt.Printf("Server starting on port %s\n", port) 86 + fmt.Printf("Coves AppView starting on port %s\n", port) 87 + fmt.Printf("PDS URL: %s\n", pdsURL) 68 88 log.Fatal(http.ListenAndServe(":"+port, r)) 69 89 }

+122

internal/api/middleware/ratelimit.go

··· 1 + package middleware 2 + 3 + import ( 4 + "net/http" 5 + "sync" 6 + "time" 7 + ) 8 + 9 + // RateLimiter implements a simple in-memory rate limiter 10 + // For production, consider using Redis or a distributed rate limiter 11 + type RateLimiter struct { 12 + mu sync.Mutex 13 + clients map[string]*clientLimit 14 + requests int // Max requests per window 15 + window time.Duration // Time window 16 + } 17 + 18 + type clientLimit struct { 19 + count int 20 + resetTime time.Time 21 + } 22 + 23 + // NewRateLimiter creates a new rate limiter 24 + // requests: maximum number of requests allowed per window 25 + // window: time window duration (e.g., 1 minute) 26 + func NewRateLimiter(requests int, window time.Duration) *RateLimiter { 27 + rl := &RateLimiter{ 28 + clients: make(map[string]*clientLimit), 29 + requests: requests, 30 + window: window, 31 + } 32 + 33 + // Cleanup old entries every window duration 34 + go rl.cleanup() 35 + 36 + return rl 37 + } 38 + 39 + // Middleware returns a rate limiting middleware 40 + func (rl *RateLimiter) Middleware(next http.Handler) http.Handler { 41 + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 42 + // Use IP address as client identifier 43 + // In production, consider using authenticated user ID if available 44 + clientID := getClientIP(r) 45 + 46 + if !rl.allow(clientID) { 47 + http.Error(w, "Rate limit exceeded. Please try again later.", http.StatusTooManyRequests) 48 + return 49 + } 50 + 51 + next.ServeHTTP(w, r) 52 + }) 53 + } 54 + 55 + // allow checks if a client is allowed to make a request 56 + func (rl *RateLimiter) allow(clientID string) bool { 57 + rl.mu.Lock() 58 + defer rl.mu.Unlock() 59 + 60 + now := time.Now() 61 + 62 + // Get or create client limit 63 + client, exists := rl.clients[clientID] 64 + if !exists { 65 + rl.clients[clientID] = &clientLimit{ 66 + count: 1, 67 + resetTime: now.Add(rl.window), 68 + } 69 + return true 70 + } 71 + 72 + // Check if window has expired 73 + if now.After(client.resetTime) { 74 + client.count = 1 75 + client.resetTime = now.Add(rl.window) 76 + return true 77 + } 78 + 79 + // Check if under limit 80 + if client.count < rl.requests { 81 + client.count++ 82 + return true 83 + } 84 + 85 + // Rate limit exceeded 86 + return false 87 + } 88 + 89 + // cleanup removes expired client entries periodically 90 + func (rl *RateLimiter) cleanup() { 91 + ticker := time.NewTicker(rl.window) 92 + defer ticker.Stop() 93 + 94 + for range ticker.C { 95 + rl.mu.Lock() 96 + now := time.Now() 97 + for clientID, client := range rl.clients { 98 + if now.After(client.resetTime) { 99 + delete(rl.clients, clientID) 100 + } 101 + } 102 + rl.mu.Unlock() 103 + } 104 + } 105 + 106 + // getClientIP extracts the client IP from the request 107 + func getClientIP(r *http.Request) string { 108 + // Check X-Forwarded-For header (if behind proxy) 109 + forwarded := r.Header.Get("X-Forwarded-For") 110 + if forwarded != "" { 111 + return forwarded 112 + } 113 + 114 + // Check X-Real-IP header 115 + realIP := r.Header.Get("X-Real-IP") 116 + if realIP != "" { 117 + return realIP 118 + } 119 + 120 + // Fall back to RemoteAddr 121 + return r.RemoteAddr 122 + }

+65 -9

internal/api/routes/user.go

··· 1 1 package routes 2 2 3 3 import ( 4 + "encoding/json" 5 + "net/http" 6 + "time" 7 + 4 8 "Coves/internal/core/users" 5 9 "github.com/go-chi/chi/v5" 6 - "net/http" 7 10 ) 8 11 9 - // UserRoutes returns user-related routes 12 + // UserHandler handles user-related XRPC endpoints 13 + type UserHandler struct { 14 + userService users.UserService 15 + } 16 + 17 + // NewUserHandler creates a new user handler 18 + func NewUserHandler(userService users.UserService) *UserHandler { 19 + return &UserHandler{ 20 + userService: userService, 21 + } 22 + } 23 + 24 + // UserRoutes returns user-related XRPC routes 25 + // Implements social.coves.actor.* lexicon endpoints 10 26 func UserRoutes(service users.UserService) chi.Router { 27 + h := NewUserHandler(service) 11 28 r := chi.NewRouter() 12 - 13 - // TODO: Implement user handlers 14 - r.Get("/", func(w http.ResponseWriter, r *http.Request) { 15 - w.WriteHeader(http.StatusOK) 16 - w.Write([]byte("User routes not yet implemented")) 17 - }) 18 - 29 + 30 + // social.coves.actor.getProfile - query endpoint 31 + r.Get("/profile", h.GetProfile) 32 + 19 33 return r 34 + } 35 + 36 + // GetProfile handles social.coves.actor.getProfile 37 + // Query endpoint that retrieves a user profile by DID or handle 38 + func (h *UserHandler) GetProfile(w http.ResponseWriter, r *http.Request) { 39 + ctx := r.Context() 40 + 41 + // Get actor parameter (DID or handle) 42 + actor := r.URL.Query().Get("actor") 43 + if actor == "" { 44 + http.Error(w, "actor parameter is required", http.StatusBadRequest) 45 + return 46 + } 47 + 48 + var user *users.User 49 + var err error 50 + 51 + // Determine if actor is a DID or handle 52 + // DIDs start with "did:", handles don't 53 + if len(actor) > 4 && actor[:4] == "did:" { 54 + user, err = h.userService.GetUserByDID(ctx, actor) 55 + } else { 56 + user, err = h.userService.GetUserByHandle(ctx, actor) 57 + } 58 + 59 + if err != nil { 60 + http.Error(w, "user not found", http.StatusNotFound) 61 + return 62 + } 63 + 64 + // Minimal profile response (matching lexicon structure) 65 + response := map[string]interface{}{ 66 + "did": user.DID, 67 + "profile": map[string]interface{}{ 68 + "handle": user.Handle, 69 + "createdAt": user.CreatedAt.Format(time.RFC3339), 70 + }, 71 + } 72 + 73 + w.Header().Set("Content-Type", "application/json") 74 + w.WriteHeader(http.StatusOK) 75 + json.NewEncoder(w).Encode(response) 20 76 }

+15 -7

internal/core/users/interfaces.go

··· 1 1 package users 2 2 3 - type UserServiceInterface interface { 4 - CreateUser(req CreateUserRequest) (*User, error) 5 - GetUserByID(id int) (*User, error) 6 - GetUserByEmail(email string) (*User, error) 7 - GetUserByUsername(username string) (*User, error) 8 - UpdateUser(id int, req UpdateUserRequest) (*User, error) 9 - DeleteUser(id int) error 3 + import "context" 4 + 5 + // UserRepository defines the interface for user data persistence 6 + type UserRepository interface { 7 + Create(ctx context.Context, user *User) (*User, error) 8 + GetByDID(ctx context.Context, did string) (*User, error) 9 + GetByHandle(ctx context.Context, handle string) (*User, error) 10 + } 11 + 12 + // UserService defines the interface for user business logic 13 + type UserService interface { 14 + CreateUser(ctx context.Context, req CreateUserRequest) (*User, error) 15 + GetUserByDID(ctx context.Context, did string) (*User, error) 16 + GetUserByHandle(ctx context.Context, handle string) (*User, error) 17 + ResolveHandleToDID(ctx context.Context, handle string) (string, error) 10 18 }

-10

internal/core/users/repository.go

··· 1 - package users 2 - 3 - type UserRepository interface { 4 - Create(user *User) (*User, error) 5 - GetByID(id int) (*User, error) 6 - GetByEmail(email string) (*User, error) 7 - GetByUsername(username string) (*User, error) 8 - Update(user *User) (*User, error) 9 - Delete(id int) error 10 - }

+75 -122

internal/core/users/service.go

··· 1 1 package users 2 2 3 3 import ( 4 + "context" 4 5 "fmt" 6 + "regexp" 5 7 "strings" 6 8 ) 7 9 8 - type UserService struct { 10 + // atProto handle validation regex 11 + // Handles must: start/end with alphanumeric, contain only alphanumeric + hyphens, no consecutive hyphens 12 + var handleRegex = regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$`) 13 + 14 + type userService struct { 9 15 userRepo UserRepository 16 + pdsURL string // TODO: Support federated PDS - different users may have different PDS hosts 10 17 } 11 18 12 - func NewUserService(userRepo UserRepository) *UserService { 13 - return &UserService{ 19 + // NewUserService creates a new user service 20 + func NewUserService(userRepo UserRepository, pdsURL string) UserService { 21 + return &userService{ 14 22 userRepo: userRepo, 23 + pdsURL: pdsURL, 15 24 } 16 25 } 17 26 18 - func (s *UserService) CreateUser(req CreateUserRequest) (*User, error) { 27 + // CreateUser creates a new user in the AppView database 28 + func (s *userService) CreateUser(ctx context.Context, req CreateUserRequest) (*User, error) { 19 29 if err := s.validateCreateRequest(req); err != nil { 20 30 return nil, err 21 31 } 22 - 23 - req.Email = strings.TrimSpace(strings.ToLower(req.Email)) 24 - req.Username = strings.TrimSpace(req.Username) 25 - 26 - existingUser, _ := s.userRepo.GetByEmail(req.Email) 27 - if existingUser != nil { 28 - return nil, fmt.Errorf("service: email already exists") 29 - } 30 - 31 - existingUser, _ = s.userRepo.GetByUsername(req.Username) 32 - if existingUser != nil { 33 - return nil, fmt.Errorf("service: username already exists") 34 - } 35 - 32 + 33 + // Normalize handle 34 + req.Handle = strings.TrimSpace(strings.ToLower(req.Handle)) 35 + req.DID = strings.TrimSpace(req.DID) 36 + 36 37 user := &User{ 37 - Email: req.Email, 38 - Username: req.Username, 38 + DID: req.DID, 39 + Handle: req.Handle, 39 40 } 40 - 41 - return s.userRepo.Create(user) 41 + 42 + // Repository will handle duplicate constraint errors 43 + return s.userRepo.Create(ctx, user) 42 44 } 43 45 44 - func (s *UserService) GetUserByID(id int) (*User, error) { 45 - if id <= 0 { 46 - return nil, fmt.Errorf("service: invalid user ID") 46 + // GetUserByDID retrieves a user by their DID 47 + func (s *userService) GetUserByDID(ctx context.Context, did string) (*User, error) { 48 + if strings.TrimSpace(did) == "" { 49 + return nil, fmt.Errorf("DID is required") 47 50 } 48 - 49 - user, err := s.userRepo.GetByID(id) 50 - if err != nil { 51 - if strings.Contains(err.Error(), "not found") { 52 - return nil, fmt.Errorf("service: user not found") 53 - } 54 - return nil, fmt.Errorf("service: %w", err) 55 - } 56 - 57 - return user, nil 51 + 52 + return s.userRepo.GetByDID(ctx, did) 58 53 } 59 54 60 - func (s *UserService) GetUserByEmail(email string) (*User, error) { 61 - email = strings.TrimSpace(strings.ToLower(email)) 62 - if email == "" { 63 - return nil, fmt.Errorf("service: email is required") 55 + // GetUserByHandle retrieves a user by their handle 56 + func (s *userService) GetUserByHandle(ctx context.Context, handle string) (*User, error) { 57 + handle = strings.TrimSpace(strings.ToLower(handle)) 58 + if handle == "" { 59 + return nil, fmt.Errorf("handle is required") 64 60 } 65 - 66 - user, err := s.userRepo.GetByEmail(email) 67 - if err != nil { 68 - if strings.Contains(err.Error(), "not found") { 69 - return nil, fmt.Errorf("service: user not found") 70 - } 71 - return nil, fmt.Errorf("service: %w", err) 72 - } 73 - 74 - return user, nil 61 + 62 + return s.userRepo.GetByHandle(ctx, handle) 75 63 } 76 64 77 - func (s *UserService) GetUserByUsername(username string) (*User, error) { 78 - username = strings.TrimSpace(username) 79 - if username == "" { 80 - return nil, fmt.Errorf("service: username is required") 65 + // ResolveHandleToDID resolves a handle to a DID 66 + // This is critical for login: users enter their handle, we resolve to DID 67 + // TODO: Implement actual DNS/HTTPS resolution via atProto 68 + func (s *userService) ResolveHandleToDID(ctx context.Context, handle string) (string, error) { 69 + handle = strings.TrimSpace(strings.ToLower(handle)) 70 + if handle == "" { 71 + return "", fmt.Errorf("handle is required") 81 72 } 82 - 83 - user, err := s.userRepo.GetByUsername(username) 73 + 74 + // For now, check if user exists in our AppView database 75 + // Later: implement DNS TXT record lookup or HTTPS .well-known/atproto-did 76 + user, err := s.userRepo.GetByHandle(ctx, handle) 84 77 if err != nil { 85 - if strings.Contains(err.Error(), "not found") { 86 - return nil, fmt.Errorf("service: user not found") 87 - } 88 - return nil, fmt.Errorf("service: %w", err) 78 + return "", fmt.Errorf("failed to resolve handle %s: %w", handle, err) 89 79 } 90 - 91 - return user, nil 92 - } 93 80 94 - func (s *UserService) UpdateUser(id int, req UpdateUserRequest) (*User, error) { 95 - user, err := s.GetUserByID(id) 96 - if err != nil { 97 - return nil, err 98 - } 99 - 100 - if req.Email != "" { 101 - req.Email = strings.TrimSpace(strings.ToLower(req.Email)) 102 - if req.Email != user.Email { 103 - existingUser, _ := s.userRepo.GetByEmail(req.Email) 104 - if existingUser != nil && existingUser.ID != id { 105 - return nil, fmt.Errorf("service: email already exists") 106 - } 107 - } 108 - user.Email = req.Email 109 - } 110 - 111 - if req.Username != "" { 112 - req.Username = strings.TrimSpace(req.Username) 113 - if req.Username != user.Username { 114 - existingUser, _ := s.userRepo.GetByUsername(req.Username) 115 - if existingUser != nil && existingUser.ID != id { 116 - return nil, fmt.Errorf("service: username already exists") 117 - } 118 - } 119 - user.Username = req.Username 120 - } 121 - 122 - return s.userRepo.Update(user) 81 + return user.DID, nil 123 82 } 124 83 125 - func (s *UserService) DeleteUser(id int) error { 126 - if id <= 0 { 127 - return fmt.Errorf("service: invalid user ID") 84 + func (s *userService) validateCreateRequest(req CreateUserRequest) error { 85 + if strings.TrimSpace(req.DID) == "" { 86 + return fmt.Errorf("DID is required") 128 87 } 129 - 130 - err := s.userRepo.Delete(id) 131 - if err != nil { 132 - if strings.Contains(err.Error(), "not found") { 133 - return fmt.Errorf("service: user not found") 134 - } 135 - return fmt.Errorf("service: %w", err) 88 + 89 + if strings.TrimSpace(req.Handle) == "" { 90 + return fmt.Errorf("handle is required") 136 91 } 137 - 138 - return nil 139 - } 140 92 141 - func (s *UserService) validateCreateRequest(req CreateUserRequest) error { 142 - if strings.TrimSpace(req.Email) == "" { 143 - return fmt.Errorf("service: email is required") 93 + // DID format validation 94 + if !strings.HasPrefix(req.DID, "did:") { 95 + return fmt.Errorf("invalid DID format: must start with 'did:'") 144 96 } 145 - 146 - if strings.TrimSpace(req.Username) == "" { 147 - return fmt.Errorf("service: username is required") 97 + 98 + // atProto handle validation 99 + handle := strings.TrimSpace(strings.ToLower(req.Handle)) 100 + 101 + // Length validation (1-253 characters per atProto spec) 102 + if len(handle) < 1 || len(handle) > 253 { 103 + return fmt.Errorf("handle must be between 1 and 253 characters") 148 104 } 149 - 150 - if !strings.Contains(req.Email, "@") { 151 - return fmt.Errorf("service: invalid email format") 105 + 106 + // Regex validation: alphanumeric + hyphens + dots, no consecutive hyphens 107 + if !handleRegex.MatchString(handle) { 108 + return fmt.Errorf("invalid handle format: must contain only alphanumeric characters, hyphens, and dots; must start and end with alphanumeric; no consecutive hyphens") 152 109 } 153 - 154 - if len(req.Username) < 3 { 155 - return fmt.Errorf("service: username must be at least 3 characters") 110 + 111 + // Check for consecutive hyphens (not allowed in atProto) 112 + if strings.Contains(handle, "--") { 113 + return fmt.Errorf("invalid handle format: consecutive hyphens not allowed") 156 114 } 157 - 158 - return nil 159 - } 160 115 161 - type UpdateUserRequest struct { 162 - Email string `json:"email,omitempty"` 163 - Username string `json:"username,omitempty"` 116 + return nil 164 117 }

-272

internal/core/users/service_test.go

··· 1 - package users_test 2 - 3 - import ( 4 - "fmt" 5 - "testing" 6 - "time" 7 - 8 - "Coves/internal/core/users" 9 - ) 10 - 11 - type mockUserRepository struct { 12 - users map[int]*users.User 13 - nextID int 14 - shouldFail bool 15 - } 16 - 17 - func newMockUserRepository() *mockUserRepository { 18 - return &mockUserRepository{ 19 - users: make(map[int]*users.User), 20 - nextID: 1, 21 - } 22 - } 23 - 24 - func (m *mockUserRepository) Create(user *users.User) (*users.User, error) { 25 - if m.shouldFail { 26 - return nil, fmt.Errorf("mock: database error") 27 - } 28 - 29 - user.ID = m.nextID 30 - m.nextID++ 31 - user.CreatedAt = time.Now() 32 - user.UpdatedAt = time.Now() 33 - 34 - m.users[user.ID] = user 35 - return user, nil 36 - } 37 - 38 - func (m *mockUserRepository) GetByID(id int) (*users.User, error) { 39 - if m.shouldFail { 40 - return nil, fmt.Errorf("mock: database error") 41 - } 42 - 43 - user, exists := m.users[id] 44 - if !exists { 45 - return nil, fmt.Errorf("repository: user not found") 46 - } 47 - return user, nil 48 - } 49 - 50 - func (m *mockUserRepository) GetByEmail(email string) (*users.User, error) { 51 - if m.shouldFail { 52 - return nil, fmt.Errorf("mock: database error") 53 - } 54 - 55 - for _, user := range m.users { 56 - if user.Email == email { 57 - return user, nil 58 - } 59 - } 60 - return nil, fmt.Errorf("repository: user not found") 61 - } 62 - 63 - func (m *mockUserRepository) GetByUsername(username string) (*users.User, error) { 64 - if m.shouldFail { 65 - return nil, fmt.Errorf("mock: database error") 66 - } 67 - 68 - for _, user := range m.users { 69 - if user.Username == username { 70 - return user, nil 71 - } 72 - } 73 - return nil, fmt.Errorf("repository: user not found") 74 - } 75 - 76 - func (m *mockUserRepository) Update(user *users.User) (*users.User, error) { 77 - if m.shouldFail { 78 - return nil, fmt.Errorf("mock: database error") 79 - } 80 - 81 - if _, exists := m.users[user.ID]; !exists { 82 - return nil, fmt.Errorf("repository: user not found") 83 - } 84 - 85 - user.UpdatedAt = time.Now() 86 - m.users[user.ID] = user 87 - return user, nil 88 - } 89 - 90 - func (m *mockUserRepository) Delete(id int) error { 91 - if m.shouldFail { 92 - return fmt.Errorf("mock: database error") 93 - } 94 - 95 - if _, exists := m.users[id]; !exists { 96 - return fmt.Errorf("repository: user not found") 97 - } 98 - 99 - delete(m.users, id) 100 - return nil 101 - } 102 - 103 - func TestCreateUser(t *testing.T) { 104 - repo := newMockUserRepository() 105 - service := users.NewUserService(repo) 106 - 107 - tests := []struct { 108 - name string 109 - req users.CreateUserRequest 110 - wantErr bool 111 - errMsg string 112 - }{ 113 - { 114 - name: "valid user", 115 - req: users.CreateUserRequest{ 116 - Email: "test@example.com", 117 - Username: "testuser", 118 - }, 119 - wantErr: false, 120 - }, 121 - { 122 - name: "empty email", 123 - req: users.CreateUserRequest{ 124 - Email: "", 125 - Username: "testuser", 126 - }, 127 - wantErr: true, 128 - errMsg: "email is required", 129 - }, 130 - { 131 - name: "empty username", 132 - req: users.CreateUserRequest{ 133 - Email: "test@example.com", 134 - Username: "", 135 - }, 136 - wantErr: true, 137 - errMsg: "username is required", 138 - }, 139 - { 140 - name: "invalid email format", 141 - req: users.CreateUserRequest{ 142 - Email: "invalidemail", 143 - Username: "testuser", 144 - }, 145 - wantErr: true, 146 - errMsg: "invalid email format", 147 - }, 148 - { 149 - name: "short username", 150 - req: users.CreateUserRequest{ 151 - Email: "test@example.com", 152 - Username: "ab", 153 - }, 154 - wantErr: true, 155 - errMsg: "username must be at least 3 characters", 156 - }, 157 - } 158 - 159 - for _, tt := range tests { 160 - t.Run(tt.name, func(t *testing.T) { 161 - user, err := service.CreateUser(tt.req) 162 - 163 - if tt.wantErr { 164 - if err == nil { 165 - t.Errorf("expected error but got none") 166 - } else if tt.errMsg != "" && err.Error() != "service: "+tt.errMsg { 167 - t.Errorf("expected error message '%s' but got '%s'", tt.errMsg, err.Error()) 168 - } 169 - } else { 170 - if err != nil { 171 - t.Errorf("unexpected error: %v", err) 172 - } 173 - if user == nil { 174 - t.Errorf("expected user but got nil") 175 - } 176 - } 177 - }) 178 - } 179 - } 180 - 181 - func TestCreateUserDuplicates(t *testing.T) { 182 - repo := newMockUserRepository() 183 - service := users.NewUserService(repo) 184 - 185 - req := users.CreateUserRequest{ 186 - Email: "test@example.com", 187 - Username: "testuser", 188 - } 189 - 190 - _, err := service.CreateUser(req) 191 - if err != nil { 192 - t.Fatalf("unexpected error creating first user: %v", err) 193 - } 194 - 195 - _, err = service.CreateUser(req) 196 - if err == nil { 197 - t.Errorf("expected error for duplicate email but got none") 198 - } else if err.Error() != "service: email already exists" { 199 - t.Errorf("unexpected error message: %v", err) 200 - } 201 - 202 - req2 := users.CreateUserRequest{ 203 - Email: "different@example.com", 204 - Username: "testuser", 205 - } 206 - 207 - _, err = service.CreateUser(req2) 208 - if err == nil { 209 - t.Errorf("expected error for duplicate username but got none") 210 - } else if err.Error() != "service: username already exists" { 211 - t.Errorf("unexpected error message: %v", err) 212 - } 213 - } 214 - 215 - func TestGetUserByID(t *testing.T) { 216 - repo := newMockUserRepository() 217 - service := users.NewUserService(repo) 218 - 219 - createdUser, err := service.CreateUser(users.CreateUserRequest{ 220 - Email: "test@example.com", 221 - Username: "testuser", 222 - }) 223 - if err != nil { 224 - t.Fatalf("failed to create user: %v", err) 225 - } 226 - 227 - tests := []struct { 228 - name string 229 - id int 230 - wantErr bool 231 - errMsg string 232 - }{ 233 - { 234 - name: "valid ID", 235 - id: createdUser.ID, 236 - wantErr: false, 237 - }, 238 - { 239 - name: "invalid ID", 240 - id: 0, 241 - wantErr: true, 242 - errMsg: "invalid user ID", 243 - }, 244 - { 245 - name: "non-existent ID", 246 - id: 999, 247 - wantErr: true, 248 - errMsg: "user not found", 249 - }, 250 - } 251 - 252 - for _, tt := range tests { 253 - t.Run(tt.name, func(t *testing.T) { 254 - user, err := service.GetUserByID(tt.id) 255 - 256 - if tt.wantErr { 257 - if err == nil { 258 - t.Errorf("expected error but got none") 259 - } else if tt.errMsg != "" && err.Error() != "service: "+tt.errMsg { 260 - t.Errorf("expected error message '%s' but got '%s'", tt.errMsg, err.Error()) 261 - } 262 - } else { 263 - if err != nil { 264 - t.Errorf("unexpected error: %v", err) 265 - } 266 - if user == nil { 267 - t.Errorf("expected user but got nil") 268 - } 269 - } 270 - }) 271 - } 272 - }

+10 -7

internal/core/users/user.go

··· 4 4 "time" 5 5 ) 6 6 7 + // User represents an atProto user tracked in the Coves AppView 8 + // This is NOT the user's repository - that lives in the PDS 9 + // This table only tracks metadata for efficient AppView queries 7 10 type User struct { 8 - ID int `json:"id" db:"id"` 9 - Email string `json:"email" db:"email"` 10 - Username string `json:"username" db:"username"` 11 - CreatedAt time.Time `json:"created_at" db:"created_at"` 12 - UpdatedAt time.Time `json:"updated_at" db:"updated_at"` 11 + DID string `json:"did" db:"did"` // atProto DID (e.g., did:plc:xyz123) 12 + Handle string `json:"handle" db:"handle"` // Human-readable handle (e.g., alice.coves.dev) 13 + CreatedAt time.Time `json:"createdAt" db:"created_at"` 14 + UpdatedAt time.Time `json:"updatedAt" db:"updated_at"` 13 15 } 14 16 17 + // CreateUserRequest represents the input for creating a new user 15 18 type CreateUserRequest struct { 16 - Email string `json:"email"` 17 - Username string `json:"username"` 19 + DID string `json:"did"` 20 + Handle string `json:"handle"` 18 21 }

+7 -6

internal/db/migrations/001_create_users_table.sql

··· 1 1 -- +goose Up 2 + -- Create main users table for Coves (all users are atProto users) 2 3 CREATE TABLE users ( 3 - id SERIAL PRIMARY KEY, 4 - email VARCHAR(255) UNIQUE NOT NULL, 5 - username VARCHAR(50) UNIQUE NOT NULL, 4 + did TEXT PRIMARY KEY, 5 + handle TEXT UNIQUE NOT NULL, 6 6 created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP, 7 7 updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP 8 8 ); 9 9 10 - CREATE INDEX idx_users_email ON users(email); 11 - CREATE INDEX idx_users_username ON users(username); 10 + -- Indexes for efficient lookups 11 + CREATE INDEX idx_users_handle ON users(handle); 12 + CREATE INDEX idx_users_created_at ON users(created_at); 12 13 13 14 -- +goose Down 14 - DROP TABLE users; 15 + DROP TABLE users;

-32

internal/db/migrations/005_add_user_maps_indices.sql

··· 1 - -- +goose Up 2 - -- +goose StatementBegin 3 - 4 - -- Note: The user_maps table is created by GORM's AutoMigrate in the carstore package 5 - -- Only add indices if the table exists 6 - DO $$ 7 - BEGIN 8 - -- Check if user_maps table exists 9 - IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'user_maps') THEN 10 - -- Check if column exists before creating index 11 - IF EXISTS (SELECT 1 FROM information_schema.columns WHERE table_name = 'user_maps' AND column_name = 'did') THEN 12 - -- Explicit column name specified in GORM tag 13 - CREATE INDEX IF NOT EXISTS idx_user_maps_did ON user_maps(did); 14 - END IF; 15 - 16 - -- Add index on created_at if column exists 17 - IF EXISTS (SELECT 1 FROM information_schema.columns WHERE table_name = 'user_maps' AND column_name = 'created_at') THEN 18 - CREATE INDEX IF NOT EXISTS idx_user_maps_created_at ON user_maps(created_at); 19 - END IF; 20 - END IF; 21 - END $$; 22 - 23 - -- +goose StatementEnd 24 - 25 - -- +goose Down 26 - -- +goose StatementBegin 27 - 28 - -- Remove indices if they exist 29 - DROP INDEX IF EXISTS idx_user_maps_did; 30 - DROP INDEX IF EXISTS idx_user_maps_created_at; 31 - 32 - -- +goose StatementEnd

+36 -78

internal/db/postgres/user_repo.go

··· 1 1 package postgres 2 2 3 3 import ( 4 + "context" 4 5 "database/sql" 5 6 "fmt" 7 + "strings" 6 8 7 9 "Coves/internal/core/users" 8 10 ) 9 11 10 - type PostgresUserRepo struct { 12 + type postgresUserRepo struct { 11 13 db *sql.DB 12 14 } 13 15 16 + // NewUserRepository creates a new PostgreSQL user repository 14 17 func NewUserRepository(db *sql.DB) users.UserRepository { 15 - return &PostgresUserRepo{db: db} 18 + return &postgresUserRepo{db: db} 16 19 } 17 20 18 - func (r *PostgresUserRepo) Create(user *users.User) (*users.User, error) { 21 + // Create inserts a new user into the users table 22 + func (r *postgresUserRepo) Create(ctx context.Context, user *users.User) (*users.User, error) { 19 23 query := ` 20 - INSERT INTO users (email, username) 21 - VALUES ($1, $2) 22 - RETURNING id, email, username, created_at, updated_at` 24 + INSERT INTO users (did, handle) 25 + VALUES ($1, $2) 26 + RETURNING did, handle, created_at, updated_at` 23 27 24 - err := r.db.QueryRow(query, user.Email, user.Username). 25 - Scan(&user.ID, &user.Email, &user.Username, &user.CreatedAt, &user.UpdatedAt) 28 + err := r.db.QueryRowContext(ctx, query, user.DID, user.Handle). 29 + Scan(&user.DID, &user.Handle, &user.CreatedAt, &user.UpdatedAt) 26 30 27 31 if err != nil { 28 - return nil, fmt.Errorf("repository: failed to create user: %w", err) 29 - } 30 - 31 - return user, nil 32 - } 33 - 34 - func (r *PostgresUserRepo) GetByID(id int) (*users.User, error) { 35 - user := &users.User{} 36 - query := `SELECT id, email, username, created_at, updated_at FROM users WHERE id = $1` 37 - 38 - err := r.db.QueryRow(query, id). 39 - Scan(&user.ID, &user.Email, &user.Username, &user.CreatedAt, &user.UpdatedAt) 40 - 41 - if err == sql.ErrNoRows { 42 - return nil, fmt.Errorf("repository: user not found") 43 - } 44 - if err != nil { 45 - return nil, fmt.Errorf("repository: failed to get user: %w", err) 32 + // Check for unique constraint violations 33 + if strings.Contains(err.Error(), "duplicate key") { 34 + if strings.Contains(err.Error(), "users_pkey") { 35 + return nil, fmt.Errorf("user with DID already exists") 36 + } 37 + if strings.Contains(err.Error(), "users_handle_key") { 38 + return nil, fmt.Errorf("handle already taken") 39 + } 40 + } 41 + return nil, fmt.Errorf("failed to create user: %w", err) 46 42 } 47 43 48 44 return user, nil 49 45 } 50 46 51 - func (r *PostgresUserRepo) GetByEmail(email string) (*users.User, error) { 47 + // GetByDID retrieves a user by their DID 48 + func (r *postgresUserRepo) GetByDID(ctx context.Context, did string) (*users.User, error) { 52 49 user := &users.User{} 53 - query := `SELECT id, email, username, created_at, updated_at FROM users WHERE email = $1` 50 + query := `SELECT did, handle, created_at, updated_at FROM users WHERE did = $1` 54 51 55 - err := r.db.QueryRow(query, email). 56 - Scan(&user.ID, &user.Email, &user.Username, &user.CreatedAt, &user.UpdatedAt) 52 + err := r.db.QueryRowContext(ctx, query, did). 53 + Scan(&user.DID, &user.Handle, &user.CreatedAt, &user.UpdatedAt) 57 54 58 55 if err == sql.ErrNoRows { 59 - return nil, fmt.Errorf("repository: user not found") 56 + return nil, fmt.Errorf("user not found") 60 57 } 61 58 if err != nil { 62 - return nil, fmt.Errorf("repository: failed to get user by email: %w", err) 59 + return nil, fmt.Errorf("failed to get user by DID: %w", err) 63 60 } 64 61 65 62 return user, nil 66 63 } 67 64 68 - func (r *PostgresUserRepo) GetByUsername(username string) (*users.User, error) { 65 + // GetByHandle retrieves a user by their handle 66 + func (r *postgresUserRepo) GetByHandle(ctx context.Context, handle string) (*users.User, error) { 69 67 user := &users.User{} 70 - query := `SELECT id, email, username, created_at, updated_at FROM users WHERE username = $1` 68 + query := `SELECT did, handle, created_at, updated_at FROM users WHERE handle = $1` 71 69 72 - err := r.db.QueryRow(query, username). 73 - Scan(&user.ID, &user.Email, &user.Username, &user.CreatedAt, &user.UpdatedAt) 70 + err := r.db.QueryRowContext(ctx, query, handle). 71 + Scan(&user.DID, &user.Handle, &user.CreatedAt, &user.UpdatedAt) 74 72 75 73 if err == sql.ErrNoRows { 76 - return nil, fmt.Errorf("repository: user not found") 74 + return nil, fmt.Errorf("user not found") 77 75 } 78 76 if err != nil { 79 - return nil, fmt.Errorf("repository: failed to get user by username: %w", err) 77 + return nil, fmt.Errorf("failed to get user by handle: %w", err) 80 78 } 81 79 82 80 return user, nil 83 81 } 84 - 85 - func (r *PostgresUserRepo) Update(user *users.User) (*users.User, error) { 86 - query := ` 87 - UPDATE users 88 - SET email = $2, username = $3, updated_at = CURRENT_TIMESTAMP 89 - WHERE id = $1 90 - RETURNING id, email, username, created_at, updated_at` 91 - 92 - err := r.db.QueryRow(query, user.ID, user.Email, user.Username). 93 - Scan(&user.ID, &user.Email, &user.Username, &user.CreatedAt, &user.UpdatedAt) 94 - 95 - if err == sql.ErrNoRows { 96 - return nil, fmt.Errorf("repository: user not found") 97 - } 98 - if err != nil { 99 - return nil, fmt.Errorf("repository: failed to update user: %w", err) 100 - } 101 - 102 - return user, nil 103 - } 104 - 105 - func (r *PostgresUserRepo) Delete(id int) error { 106 - query := `DELETE FROM users WHERE id = $1` 107 - 108 - result, err := r.db.Exec(query, id) 109 - if err != nil { 110 - return fmt.Errorf("repository: failed to delete user: %w", err) 111 - } 112 - 113 - rowsAffected, err := result.RowsAffected() 114 - if err != nil { 115 - return fmt.Errorf("repository: failed to get rows affected: %w", err) 116 - } 117 - 118 - if rowsAffected == 0 { 119 - return fmt.Errorf("repository: user not found") 120 - } 121 - 122 - return nil 123 - }

+299 -30

tests/integration/integration_test.go

··· 1 1 package integration 2 2 3 3 import ( 4 - "Coves/internal/core/users" 5 - "Coves/internal/db/postgres" 6 - "bytes" 4 + "context" 7 5 "database/sql" 8 6 "encoding/json" 9 7 "fmt" 10 8 "net/http" 11 9 "net/http/httptest" 12 10 "os" 11 + "strings" 13 12 "testing" 14 13 15 14 "github.com/go-chi/chi/v5" ··· 17 16 "github.com/pressly/goose/v3" 18 17 19 18 "Coves/internal/api/routes" 19 + "Coves/internal/core/users" 20 + "Coves/internal/db/postgres" 20 21 ) 21 22 22 23 func setupTestDB(t *testing.T) *sql.DB { 23 24 // Build connection string from environment variables (set by .env.dev) 24 - // These are loaded by the Makefile when running tests 25 25 testUser := os.Getenv("POSTGRES_TEST_USER") 26 26 testPassword := os.Getenv("POSTGRES_TEST_PASSWORD") 27 27 testPort := os.Getenv("POSTGRES_TEST_PORT") ··· 62 62 } 63 63 64 64 // Clean up any existing test data 65 - _, err = db.Exec("DELETE FROM users WHERE email LIKE '%@example.com'") 65 + _, err = db.Exec("DELETE FROM users WHERE handle LIKE '%.test'") 66 66 if err != nil { 67 67 t.Logf("Warning: Failed to clean up test data: %v", err) 68 68 } ··· 70 70 return db 71 71 } 72 72 73 - func TestCreateUser(t *testing.T) { 73 + func TestUserCreationAndRetrieval(t *testing.T) { 74 + db := setupTestDB(t) 75 + defer db.Close() 76 + 77 + // Wire up dependencies 78 + userRepo := postgres.NewUserRepository(db) 79 + userService := users.NewUserService(userRepo, "http://localhost:3001") 80 + 81 + ctx := context.Background() 82 + 83 + // Test 1: Create a user 84 + t.Run("Create User", func(t *testing.T) { 85 + req := users.CreateUserRequest{ 86 + DID: "did:plc:test123456", 87 + Handle: "alice.test", 88 + } 89 + 90 + user, err := userService.CreateUser(ctx, req) 91 + if err != nil { 92 + t.Fatalf("Failed to create user: %v", err) 93 + } 94 + 95 + if user.DID != req.DID { 96 + t.Errorf("Expected DID %s, got %s", req.DID, user.DID) 97 + } 98 + 99 + if user.Handle != req.Handle { 100 + t.Errorf("Expected handle %s, got %s", req.Handle, user.Handle) 101 + } 102 + 103 + if user.CreatedAt.IsZero() { 104 + t.Error("CreatedAt should not be zero") 105 + } 106 + }) 107 + 108 + // Test 2: Retrieve user by DID 109 + t.Run("Get User By DID", func(t *testing.T) { 110 + user, err := userService.GetUserByDID(ctx, "did:plc:test123456") 111 + if err != nil { 112 + t.Fatalf("Failed to get user by DID: %v", err) 113 + } 114 + 115 + if user.Handle != "alice.test" { 116 + t.Errorf("Expected handle alice.test, got %s", user.Handle) 117 + } 118 + }) 119 + 120 + // Test 3: Retrieve user by handle 121 + t.Run("Get User By Handle", func(t *testing.T) { 122 + user, err := userService.GetUserByHandle(ctx, "alice.test") 123 + if err != nil { 124 + t.Fatalf("Failed to get user by handle: %v", err) 125 + } 126 + 127 + if user.DID != "did:plc:test123456" { 128 + t.Errorf("Expected DID did:plc:test123456, got %s", user.DID) 129 + } 130 + }) 131 + 132 + // Test 4: Resolve handle to DID 133 + t.Run("Resolve Handle to DID", func(t *testing.T) { 134 + did, err := userService.ResolveHandleToDID(ctx, "alice.test") 135 + if err != nil { 136 + t.Fatalf("Failed to resolve handle: %v", err) 137 + } 138 + 139 + if did != "did:plc:test123456" { 140 + t.Errorf("Expected DID did:plc:test123456, got %s", did) 141 + } 142 + }) 143 + } 144 + 145 + func TestGetProfileEndpoint(t *testing.T) { 74 146 db := setupTestDB(t) 75 147 defer db.Close() 76 148 77 - // Wire up dependencies according to architecture 149 + // Wire up dependencies 78 150 userRepo := postgres.NewUserRepository(db) 79 - userService := users.NewUserService(userRepo) 151 + userService := users.NewUserService(userRepo, "http://localhost:3001") 152 + 153 + // Create test user directly in service 154 + ctx := context.Background() 155 + _, err := userService.CreateUser(ctx, users.CreateUserRequest{ 156 + DID: "did:plc:endpoint123", 157 + Handle: "bob.test", 158 + }) 159 + if err != nil { 160 + t.Fatalf("Failed to create test user: %v", err) 161 + } 80 162 163 + // Set up HTTP router 81 164 r := chi.NewRouter() 82 - r.Mount("/api/users", routes.UserRoutes(userService)) 165 + r.Mount("/xrpc/social.coves.actor", routes.UserRoutes(userService)) 166 + 167 + // Test 1: Get profile by DID 168 + t.Run("Get Profile By DID", func(t *testing.T) { 169 + req := httptest.NewRequest("GET", "/xrpc/social.coves.actor/profile?actor=did:plc:endpoint123", nil) 170 + w := httptest.NewRecorder() 171 + r.ServeHTTP(w, req) 172 + 173 + if w.Code != http.StatusOK { 174 + t.Errorf("Expected status %d, got %d. Response: %s", http.StatusOK, w.Code, w.Body.String()) 175 + return 176 + } 177 + 178 + var response map[string]interface{} 179 + if err := json.NewDecoder(w.Body).Decode(&response); err != nil { 180 + t.Fatalf("Failed to decode response: %v", err) 181 + } 182 + 183 + if response["did"] != "did:plc:endpoint123" { 184 + t.Errorf("Expected DID did:plc:endpoint123, got %v", response["did"]) 185 + } 186 + }) 187 + 188 + // Test 2: Get profile by handle 189 + t.Run("Get Profile By Handle", func(t *testing.T) { 190 + req := httptest.NewRequest("GET", "/xrpc/social.coves.actor/profile?actor=bob.test", nil) 191 + w := httptest.NewRecorder() 192 + r.ServeHTTP(w, req) 193 + 194 + if w.Code != http.StatusOK { 195 + t.Errorf("Expected status %d, got %d. Response: %s", http.StatusOK, w.Code, w.Body.String()) 196 + return 197 + } 198 + 199 + var response map[string]interface{} 200 + if err := json.NewDecoder(w.Body).Decode(&response); err != nil { 201 + t.Fatalf("Failed to decode response: %v", err) 202 + } 203 + 204 + profile := response["profile"].(map[string]interface{}) 205 + if profile["handle"] != "bob.test" { 206 + t.Errorf("Expected handle bob.test, got %v", profile["handle"]) 207 + } 208 + }) 209 + 210 + // Test 3: Missing actor parameter 211 + t.Run("Missing Actor Parameter", func(t *testing.T) { 212 + req := httptest.NewRequest("GET", "/xrpc/social.coves.actor/profile", nil) 213 + w := httptest.NewRecorder() 214 + r.ServeHTTP(w, req) 215 + 216 + if w.Code != http.StatusBadRequest { 217 + t.Errorf("Expected status %d, got %d", http.StatusBadRequest, w.Code) 218 + } 219 + }) 220 + 221 + // Test 4: User not found 222 + t.Run("User Not Found", func(t *testing.T) { 223 + req := httptest.NewRequest("GET", "/xrpc/social.coves.actor/profile?actor=nonexistent.test", nil) 224 + w := httptest.NewRecorder() 225 + r.ServeHTTP(w, req) 226 + 227 + if w.Code != http.StatusNotFound { 228 + t.Errorf("Expected status %d, got %d", http.StatusNotFound, w.Code) 229 + } 230 + }) 231 + } 232 + 233 + // TestDuplicateCreation tests that duplicate DID/handle creation fails properly 234 + func TestDuplicateCreation(t *testing.T) { 235 + db := setupTestDB(t) 236 + defer db.Close() 237 + 238 + userRepo := postgres.NewUserRepository(db) 239 + userService := users.NewUserService(userRepo, "http://localhost:3001") 240 + ctx := context.Background() 83 241 84 - user := users.CreateUserRequest{ 85 - Email: "test@example.com", 86 - Username: "testuser", 242 + // Create first user 243 + _, err := userService.CreateUser(ctx, users.CreateUserRequest{ 244 + DID: "did:plc:duplicate123", 245 + Handle: "duplicate.test", 246 + }) 247 + if err != nil { 248 + t.Fatalf("Failed to create first user: %v", err) 87 249 } 88 250 89 - body, _ := json.Marshal(user) 90 - req := httptest.NewRequest("POST", "/api/users", bytes.NewBuffer(body)) 91 - req.Header.Set("Content-Type", "application/json") 251 + // Test duplicate DID 252 + t.Run("Duplicate DID", func(t *testing.T) { 253 + _, err := userService.CreateUser(ctx, users.CreateUserRequest{ 254 + DID: "did:plc:duplicate123", 255 + Handle: "different.test", 256 + }) 92 257 93 - w := httptest.NewRecorder() 94 - r.ServeHTTP(w, req) 258 + if err == nil { 259 + t.Error("Expected error for duplicate DID, got nil") 260 + } 95 261 96 - if w.Code != http.StatusCreated { 97 - t.Errorf("Expected status %d, got %d. Response: %s", http.StatusCreated, w.Code, w.Body.String()) 98 - return 99 - } 262 + if !strings.Contains(err.Error(), "DID already exists") { 263 + t.Errorf("Expected 'DID already exists' error, got: %v", err) 264 + } 265 + }) 100 266 101 - var createdUser users.User 102 - if err := json.NewDecoder(w.Body).Decode(&createdUser); err != nil { 103 - t.Fatalf("Failed to decode response: %v", err) 104 - } 267 + // Test duplicate handle 268 + t.Run("Duplicate Handle", func(t *testing.T) { 269 + _, err := userService.CreateUser(ctx, users.CreateUserRequest{ 270 + DID: "did:plc:different456", 271 + Handle: "duplicate.test", 272 + }) 273 + 274 + if err == nil { 275 + t.Error("Expected error for duplicate handle, got nil") 276 + } 277 + 278 + if !strings.Contains(err.Error(), "handle already taken") { 279 + t.Errorf("Expected 'handle already taken' error, got: %v", err) 280 + } 281 + }) 282 + } 283 + 284 + // TestHandleValidation tests atProto handle validation rules 285 + func TestHandleValidation(t *testing.T) { 286 + db := setupTestDB(t) 287 + defer db.Close() 105 288 106 - if createdUser.Email != user.Email { 107 - t.Errorf("Expected email %s, got %s", user.Email, createdUser.Email) 289 + userRepo := postgres.NewUserRepository(db) 290 + userService := users.NewUserService(userRepo, "http://localhost:3001") 291 + ctx := context.Background() 292 + 293 + testCases := []struct { 294 + name string 295 + did string 296 + handle string 297 + shouldError bool 298 + errorMsg string 299 + }{ 300 + { 301 + name: "Valid handle with hyphen", 302 + did: "did:plc:valid1", 303 + handle: "alice-bob.test", 304 + shouldError: false, 305 + }, 306 + { 307 + name: "Valid handle with dots", 308 + did: "did:plc:valid2", 309 + handle: "alice.bob.test", 310 + shouldError: false, 311 + }, 312 + { 313 + name: "Invalid: consecutive hyphens", 314 + did: "did:plc:invalid1", 315 + handle: "alice--bob.test", 316 + shouldError: true, 317 + errorMsg: "consecutive hyphens", 318 + }, 319 + { 320 + name: "Invalid: starts with hyphen", 321 + did: "did:plc:invalid2", 322 + handle: "-alice.test", 323 + shouldError: true, 324 + errorMsg: "invalid handle format", 325 + }, 326 + { 327 + name: "Invalid: ends with hyphen", 328 + did: "did:plc:invalid3", 329 + handle: "alice-.test", 330 + shouldError: true, 331 + errorMsg: "invalid handle format", 332 + }, 333 + { 334 + name: "Invalid: special characters", 335 + did: "did:plc:invalid4", 336 + handle: "alice!bob.test", 337 + shouldError: true, 338 + errorMsg: "invalid handle format", 339 + }, 340 + { 341 + name: "Invalid: spaces", 342 + did: "did:plc:invalid5", 343 + handle: "alice bob.test", 344 + shouldError: true, 345 + errorMsg: "invalid handle format", 346 + }, 347 + { 348 + name: "Invalid: too long", 349 + did: "did:plc:invalid6", 350 + handle: strings.Repeat("a", 254) + ".test", 351 + shouldError: true, 352 + errorMsg: "must be between 1 and 253 characters", 353 + }, 354 + { 355 + name: "Invalid: missing DID prefix", 356 + did: "plc:invalid7", 357 + handle: "valid.test", 358 + shouldError: true, 359 + errorMsg: "must start with 'did:'", 360 + }, 108 361 } 109 362 110 - if createdUser.Username != user.Username { 111 - t.Errorf("Expected username %s, got %s", user.Username, createdUser.Username) 363 + for _, tc := range testCases { 364 + t.Run(tc.name, func(t *testing.T) { 365 + _, err := userService.CreateUser(ctx, users.CreateUserRequest{ 366 + DID: tc.did, 367 + Handle: tc.handle, 368 + }) 369 + 370 + if tc.shouldError { 371 + if err == nil { 372 + t.Errorf("Expected error, got nil") 373 + } else if !strings.Contains(err.Error(), tc.errorMsg) { 374 + t.Errorf("Expected error containing '%s', got: %v", tc.errorMsg, err) 375 + } 376 + } else { 377 + if err != nil { 378 + t.Errorf("Expected no error, got: %v", err) 379 + } 380 + } 381 + }) 112 382 } 113 383 } 114 -