+6 -3

pkg/appview/handlers/attestation_details.go

··· 263 263 // Two-hop flow: (1) get presigned URL from hold, (2) fetch blob from S3. 264 264 // serviceToken is optional — pass "" for public holds. 265 265 func fetchLayerBlob(ctx context.Context, holdEndpoint, layerDigest, serviceToken string) ([]byte, error) { 266 266 - holdURL := atproto.ResolveHoldURL(holdEndpoint) 266 266 + holdURL, err := atproto.ResolveHoldURL(ctx, holdEndpoint) 267 267 + if err != nil { 268 268 + return nil, fmt.Errorf("could not resolve hold endpoint %s: %w", holdEndpoint, err) 269 269 + } 267 270 holdDID := atproto.ResolveHoldDIDFromURL(holdEndpoint) 268 268 - if holdURL == "" || holdDID == "" { 269 269 - return nil, fmt.Errorf("could not resolve hold endpoint: %s", holdEndpoint) 271 271 + if holdDID == "" { 272 272 + return nil, fmt.Errorf("could not resolve hold DID from: %s", holdEndpoint) 270 273 } 271 274 272 275 // Step 1: Request presigned URL from hold

+9 -2

pkg/appview/handlers/delete.go

··· 196 196 // deleteFromSingleHold deletes user data from a single hold 197 197 func (h *DeleteAccountHandler) deleteFromSingleHold(ctx context.Context, user *db.User, holdDID, relationship string) HoldDeleteResult { 198 198 // Resolve hold DID to URL 199 199 - holdURL := atproto.ResolveHoldURL(holdDID) 200 200 - endpoint := holdURL + "/xrpc/io.atcr.hold.deleteUserData" 199 199 + holdURL, err := atproto.ResolveHoldURL(ctx, holdDID) 201 200 202 201 result := HoldDeleteResult{ 203 202 HoldDID: holdDID, 204 203 Relationship: relationship, 205 204 Status: "failed", 206 205 } 206 206 + 207 207 + if err != nil { 208 208 + slog.Warn("Failed to resolve hold URL for deletion", "holdDid", holdDID, "error", err) 209 209 + result.Error = fmt.Sprintf("Failed to resolve hold URL: %v", err) 210 210 + return result 211 211 + } 212 212 + 213 213 + endpoint := holdURL + "/xrpc/io.atcr.hold.deleteUserData" 207 214 208 215 // Check if we have OAuth refresher (needed for service tokens) 209 216 if h.Refresher == nil {

+1 -1

pkg/appview/handlers/device.go

··· 527 527 <h1>✓ Device Authorized!</h1> 528 528 <p>Device <strong>{{.DeviceName}}</strong> has been successfully authorized.</p> 529 529 <p>You can now close this window and return to your terminal.</p> 530 530 - <p><a href="/settings">View your authorized devices</a></p> 530 530 + <p><a href="/settings#devices">View your authorized devices</a></p> 531 531 </div> 532 532 </body> 533 533 </html>

+10 -3

pkg/appview/handlers/export.go

··· 167 167 // fetchSingleHoldExport fetches export data from a single hold 168 168 func (h *ExportUserDataHandler) fetchSingleHoldExport(ctx context.Context, user *db.User, holdDID string, meta holdMetadata) HoldExportResult { 169 169 // Resolve hold DID to URL 170 170 - holdURL := atproto.ResolveHoldURL(holdDID) 171 171 - endpoint := holdURL + "/xrpc/io.atcr.hold.exportUserData" 170 170 + holdURL, err := atproto.ResolveHoldURL(ctx, holdDID) 172 171 173 172 result := HoldExportResult{ 174 173 HoldDID: holdDID, 175 175 - Endpoint: endpoint, 176 174 Relationship: meta.relationship, 177 175 FirstSeen: meta.firstSeen, 178 176 Status: "failed", 179 177 } 178 178 + 179 179 + if err != nil { 180 180 + slog.Warn("Failed to resolve hold URL for export", "holdDid", holdDID, "error", err) 181 181 + result.Error = fmt.Sprintf("Failed to resolve hold URL: %v", err) 182 182 + return result 183 183 + } 184 184 + 185 185 + endpoint := holdURL + "/xrpc/io.atcr.hold.exportUserData" 186 186 + result.Endpoint = endpoint 180 187 181 188 // Check if we have OAuth refresher (needed for service tokens) 182 189 if h.Refresher == nil {

+3 -3

pkg/appview/handlers/storage.go

··· 52 52 } 53 53 54 54 // Resolve hold URL from DID 55 55 - holdURL := atproto.ResolveHoldURL(holdDID) 56 56 - if holdURL == "" { 57 57 - slog.Warn("Failed to resolve hold URL", "did", user.DID, "holdDid", holdDID) 55 55 + holdURL, err := atproto.ResolveHoldURL(r.Context(), holdDID) 56 56 + if err != nil { 57 57 + slog.Warn("Failed to resolve hold URL", "did", user.DID, "holdDid", holdDID, "error", err) 58 58 h.renderError(w, "Failed to resolve hold service") 59 59 return 60 60 }

+9 -7

pkg/appview/handlers/subscription.go

··· 77 77 } 78 78 79 79 // Resolve hold DID to endpoint 80 80 - holdEndpoint := atproto.ResolveHoldURL(holdDID) 81 81 - if holdEndpoint == "" { 82 82 - slog.Warn("Failed to resolve hold endpoint", "holdDid", holdDID) 80 80 + holdEndpoint, err := atproto.ResolveHoldURL(r.Context(), holdDID) 81 81 + if err != nil { 82 82 + slog.Warn("Failed to resolve hold endpoint", "holdDid", holdDID, "error", err) 83 83 h.renderHidden(w) 84 84 return 85 85 } ··· 197 197 } 198 198 199 199 // Resolve hold endpoint 200 200 - holdEndpoint := atproto.ResolveHoldURL(holdDID) 201 201 - if holdEndpoint == "" { 200 200 + holdEndpoint, err := atproto.ResolveHoldURL(r.Context(), holdDID) 201 201 + if err != nil { 202 202 + slog.Warn("Failed to resolve hold endpoint", "holdDid", holdDID, "error", err) 202 203 http.Error(w, "Failed to resolve hold", http.StatusInternalServerError) 203 204 return 204 205 } ··· 285 286 } 286 287 287 288 // Resolve hold endpoint 288 288 - holdEndpoint := atproto.ResolveHoldURL(holdDID) 289 289 - if holdEndpoint == "" { 289 289 + holdEndpoint, err := atproto.ResolveHoldURL(r.Context(), holdDID) 290 290 + if err != nil { 291 291 + slog.Warn("Failed to resolve hold endpoint", "holdDid", holdDID, "error", err) 290 292 http.Error(w, "Failed to resolve hold", http.StatusInternalServerError) 291 293 return 292 294 }

+5 -3

pkg/appview/holdhealth/checker.go

··· 51 51 // Checks {endpoint}/xrpc/_health and returns true if reachable 52 52 func (c *Checker) CheckHealth(ctx context.Context, endpoint string) (bool, error) { 53 53 // Convert DID to HTTP URL if needed 54 54 - // did:web:hold.example.com → https://hold.example.com 55 55 - // https://hold.example.com → https://hold.example.com (passthrough) 56 56 - httpURL := atproto.ResolveHoldURL(endpoint) 54 54 + // Resolves any DID (did:web, did:plc) via identity directory 55 55 + httpURL, err := atproto.ResolveHoldURL(ctx, endpoint) 56 56 + if err != nil { 57 57 + return false, fmt.Errorf("failed to resolve hold URL: %w", err) 58 58 + } 57 59 58 60 // Build health check URL 59 61 healthURL := httpURL + "/xrpc/_health"

+5 -9

pkg/appview/holdhealth/checker_test.go

··· 65 65 checker := NewChecker(15 * time.Minute) 66 66 ctx := context.Background() 67 67 68 68 - // Test with DID format (did:web:host) 69 69 - // Extract host:port from test server URL 70 70 - // http://127.0.0.1:12345 → did:web:127.0.0.1:12345 71 71 - serverURL := server.URL 72 72 - didFormat := "did:web:" + serverURL[7:] // Remove "http://" 73 73 - 74 74 - reachable, err := checker.CheckHealth(ctx, didFormat) 68 68 + // Test with URL format (DID resolution requires real identity directory, 69 69 + // so we test with the URL format which passes through directly) 70 70 + reachable, err := checker.CheckHealth(ctx, server.URL) 75 71 if err != nil { 76 76 - t.Errorf("CheckHealth with DID returned error: %v", err) 72 72 + t.Errorf("CheckHealth with URL returned error: %v", err) 77 73 } 78 74 79 75 if !reachable { 80 80 - t.Error("Expected hold to be reachable with DID format") 76 76 + t.Error("Expected hold to be reachable with URL format") 81 77 } 82 78 } 83 79

+8 -2

pkg/appview/jetstream/backfill.go

··· 396 396 } 397 397 398 398 // Resolve hold DID to URL 399 399 - holdURL := atproto.ResolveHoldURL(holdDID) 399 399 + holdURL, err := atproto.ResolveHoldURL(ctx, holdDID) 400 400 + if err != nil { 401 401 + return fmt.Errorf("failed to resolve hold URL for %s: %w", holdDID, err) 402 402 + } 400 403 401 404 // Create client for hold's PDS 402 405 holdClient := atproto.NewClient(holdURL, holdDID, "") ··· 442 445 // This is necessary for localhost/private holds that aren't discoverable via the relay 443 446 func (b *BackfillWorker) queryCrewRecords(ctx context.Context, holdDID string) error { 444 447 // Resolve hold DID to URL 445 445 - holdURL := atproto.ResolveHoldURL(holdDID) 448 448 + holdURL, err := atproto.ResolveHoldURL(ctx, holdDID) 449 449 + if err != nil { 450 450 + return fmt.Errorf("failed to resolve hold URL for %s: %w", holdDID, err) 451 451 + } 446 452 447 453 // Create client for hold's PDS 448 454 holdClient := atproto.NewClient(holdURL, holdDID, "")

+16 -12

pkg/appview/middleware/registry.go

··· 296 296 297 297 // Single-hop hold migration: check if this hold has declared a successor 298 298 holdDID = nr.resolveSuccessor(ctx, holdDID) 299 299 + 300 300 + // Resolve hold DID to HTTP URL via identity directory (cached 24h) 301 301 + holdURL, err := atproto.ResolveHoldURL(ctx, holdDID) 302 302 + if err != nil { 303 303 + return nil, fmt.Errorf("failed to resolve hold URL for %s: %w", holdDID, err) 304 304 + } 305 305 + 299 306 // Auto-reconcile crew membership on first push/pull 300 307 // This ensures users can push immediately after docker login without web sign-in 301 308 // EnsureCrewMembership is best-effort and logs errors without failing the request ··· 463 470 DID: did, 464 471 Handle: handle, 465 472 HoldDID: holdDID, 473 473 + HoldURL: holdURL, 466 474 PDSEndpoint: pdsEndpoint, 467 475 Repository: repositoryName, 468 476 ServiceToken: serviceToken, // Cached service token from puller's PDS ··· 551 559 // isHoldReachable checks if a hold service is reachable 552 560 // Used in test mode to fallback to default hold when user's hold is unavailable 553 561 func (nr *NamespaceResolver) isHoldReachable(ctx context.Context, holdDID string) bool { 554 554 - // Try to fetch the DID document 555 555 - hostname := strings.TrimPrefix(holdDID, "did:web:") 556 556 - 557 557 - // Try HTTP first (local), then HTTPS 558 558 - for _, scheme := range []string{"http", "https"} { 559 559 - testURL := fmt.Sprintf("%s://%s/.well-known/did.json", scheme, hostname) 560 560 - client := atproto.NewClient("", "", "") 561 561 - _, err := client.FetchDIDDocument(ctx, testURL) 562 562 - if err == nil { 563 563 - return true 564 564 - } 562 562 + holdURL, err := atproto.ResolveHoldURL(ctx, holdDID) 563 563 + if err != nil { 564 564 + slog.Debug("Cannot resolve hold URL for reachability check", "component", "registry/middleware", "holdDID", holdDID, "error", err) 565 565 + return false 565 566 } 566 567 567 567 - return false 568 568 + testURL := holdURL + "/.well-known/did.json" 569 569 + client := atproto.NewClient("", "", "") 570 570 + _, err = client.FetchDIDDocument(ctx, testURL) 571 571 + return err == nil 568 572 } 569 573 570 574 // ExtractAuthMethod is an HTTP middleware that extracts the auth method and puller DID from the JWT Authorization header

+2 -4

pkg/appview/middleware/registry_test.go

··· 270 270 ctx := context.Background() 271 271 272 272 t.Run("reachable hold", func(t *testing.T) { 273 273 - // Extract hostname from test server URL 274 274 - // The mock server URL is like http://127.0.0.1:port, so we use the host part 275 275 - holdDID := fmt.Sprintf("did:web:%s", mockHold.Listener.Addr().String()) 276 276 - reachable := resolver.isHoldReachable(ctx, holdDID) 273 273 + // Use URL format directly — DID resolution requires real identity directory 274 274 + reachable := resolver.isHoldReachable(ctx, mockHold.URL) 277 275 assert.True(t, reachable, "should detect reachable hold") 278 276 }) 279 277

+2 -1

pkg/appview/storage/context.go

··· 21 21 // Puller = the authenticated user making the request (from JWT Subject) 22 22 DID string // Owner's DID - whose repo is being accessed (e.g., "did:plc:abc123") 23 23 Handle string // Owner's handle (e.g., "alice.bsky.social") 24 24 - HoldDID string // Hold service DID (e.g., "did:web:hold01.atcr.io") 24 24 + HoldDID string // Hold service DID (e.g., "did:web:hold01.atcr.io" or "did:plc:abc123") 25 25 + HoldURL string // Resolved HTTP URL for the hold service 25 26 PDSEndpoint string // Owner's PDS endpoint URL 26 27 Repository string // Image repository name (e.g., "debian") 27 28 ServiceToken string // Service token for hold authentication (from puller's PDS)

+5 -1

pkg/appview/storage/crew.go

··· 30 30 } 31 31 32 32 // Resolve hold DID to HTTP endpoint 33 33 - holdEndpoint := atproto.ResolveHoldURL(holdDID) 33 33 + holdEndpoint, err := atproto.ResolveHoldURL(ctx, holdDID) 34 34 + if err != nil { 35 35 + slog.Warn("failed to resolve hold URL", "holdDID", holdDID, "error", err) 36 36 + return 37 37 + } 34 38 35 39 // Get service token for the hold 36 40 // Only works with OAuth (refresher required) - app passwords can't get service tokens

+2 -3

pkg/appview/storage/manifest_store.go

··· 337 337 return nil 338 338 } 339 339 340 340 - // Resolve hold DID to HTTP endpoint 341 341 - // For did:web, this is straightforward (e.g., did:web:hold01.atcr.io → https://hold01.atcr.io) 342 342 - holdEndpoint := atproto.ResolveHoldURL(s.ctx.HoldDID) 340 340 + // Use pre-resolved hold URL from RegistryContext 341 341 + holdEndpoint := s.ctx.HoldURL 343 342 344 343 // Use service token from middleware (already cached and validated) 345 344 serviceToken := s.ctx.ServiceToken

+2 -2

pkg/appview/storage/proxy_blob_store.go

··· 40 40 41 41 // NewProxyBlobStore creates a new proxy blob store 42 42 func NewProxyBlobStore(ctx *RegistryContext) *ProxyBlobStore { 43 43 - // Resolve DID to URL once at construction time 44 44 - holdURL := atproto.ResolveHoldURL(ctx.HoldDID) 43 43 + // Use pre-resolved URL from RegistryContext (resolved in Registry.Repository()) 44 44 + holdURL := ctx.HoldURL 45 45 46 46 slog.Debug("NewProxyBlobStore created", "component", "proxy_blob_store", "hold_did", ctx.HoldDID, "hold_url", holdURL, "user_did", ctx.DID, "repo", ctx.Repository) 47 47

+15 -10

pkg/appview/storage/proxy_blob_store_test.go

··· 197 197 } 198 198 } 199 199 200 200 - // TestResolveHoldURL tests DID to URL conversion 200 200 + // TestResolveHoldURL tests URL passthrough (no network needed) 201 201 func TestResolveHoldURL(t *testing.T) { 202 202 + ctx := context.Background() 202 203 tests := []struct { 203 204 name string 204 204 - holdDID string 205 205 + holdURL string 205 206 expected string 206 207 }{ 207 208 { 208 208 - name: "did:web with http (TEST_MODE)", 209 209 - holdDID: "did:web:localhost:8080", 209 209 + name: "http URL passthrough", 210 210 + holdURL: "http://localhost:8080", 210 211 expected: "http://localhost:8080", 211 212 }, 212 213 { 213 213 - name: "did:web with https (production)", 214 214 - holdDID: "did:web:hold01.atcr.io", 214 214 + name: "https URL passthrough", 215 215 + holdURL: "https://hold01.atcr.io", 215 216 expected: "https://hold01.atcr.io", 216 217 }, 217 218 { 218 218 - name: "did:web with port", 219 219 - holdDID: "did:web:hold.example.com:3000", 219 219 + name: "http URL with port passthrough", 220 220 + holdURL: "http://hold.example.com:3000", 220 221 expected: "http://hold.example.com:3000", 221 222 }, 222 223 } 223 224 224 225 for _, tt := range tests { 225 226 t.Run(tt.name, func(t *testing.T) { 226 226 - result := atproto.ResolveHoldURL(tt.holdDID) 227 227 + result, err := atproto.ResolveHoldURL(ctx, tt.holdURL) 228 228 + if err != nil { 229 229 + t.Fatalf("Unexpected error: %v", err) 230 230 + } 227 231 if result != tt.expected { 228 232 t.Errorf("Expected %s, got %s", tt.expected, result) 229 233 } ··· 277 281 278 282 // TestNewProxyBlobStore tests ProxyBlobStore creation 279 283 func TestNewProxyBlobStore(t *testing.T) { 284 284 + expectedURL := "https://hold.example.com" 280 285 ctx := &RegistryContext{ 281 286 DID: "did:plc:test", 282 287 HoldDID: "did:web:hold.example.com", 288 288 + HoldURL: expectedURL, 283 289 PDSEndpoint: "https://pds.example.com", 284 290 Repository: "test-repo", 285 291 } ··· 298 304 t.Error("Expected holdURL to be set") 299 305 } 300 306 301 301 - expectedURL := "https://hold.example.com" 302 307 if store.holdURL != expectedURL { 303 308 t.Errorf("Expected holdURL %s, got %s", expectedURL, store.holdURL) 304 309 }

+43 -21

pkg/atproto/resolver.go

··· 8 8 "github.com/bluesky-social/indigo/atproto/syntax" 9 9 ) 10 10 11 11 - // ResolveHoldURL converts a hold identifier (DID or URL) to an HTTP/HTTPS URL 12 12 - // Handles both formats for backward compatibility: 13 13 - // - DID format: did:web:hold01.atcr.io → https://hold01.atcr.io 14 14 - // - DID with port: did:web:172.28.0.3:8080 → http://172.28.0.3:8080 15 15 - // - URL format: https://hold.example.com → https://hold.example.com (passthrough) 16 16 - func ResolveHoldURL(holdIdentifier string) string { 11 11 + // ResolveHoldURL converts a hold identifier (DID or URL) to an HTTP/HTTPS URL. 12 12 + // For DIDs (both did:web and did:plc), resolves via the indigo identity directory 13 13 + // which caches results (24h TTL). Prefers the #atcr_hold service endpoint, 14 14 + // falls back to #atproto_pds. 15 15 + // 16 16 + // Supported formats: 17 17 + // - URL: https://hold.example.com → passthrough 18 18 + // - DID: did:web:hold01.atcr.io → resolved via /.well-known/did.json 19 19 + // - DID: did:plc:abc123 → resolved via PLC directory 20 20 + func ResolveHoldURL(ctx context.Context, holdIdentifier string) (string, error) { 17 21 // If it's already a URL (has scheme), return as-is 18 22 if strings.HasPrefix(holdIdentifier, "http://") || strings.HasPrefix(holdIdentifier, "https://") { 19 19 - return holdIdentifier 23 23 + return holdIdentifier, nil 20 24 } 21 25 22 22 - // If it's a DID, convert to URL 23 23 - if after, ok := strings.CutPrefix(holdIdentifier, "did:web:"); ok { 24 24 - hostname := after 25 25 - 26 26 - // Use HTTP for localhost/IP addresses with ports, HTTPS for domains 27 27 - if strings.Contains(hostname, ":") || 28 28 - strings.Contains(hostname, "127.0.0.1") || 29 29 - strings.Contains(hostname, "localhost") || 30 30 - // Check if it's an IP address (contains only digits and dots in first part) 31 31 - (len(hostname) > 0 && hostname[0] >= '0' && hostname[0] <= '9') { 32 32 - return "http://" + hostname 33 33 - } 34 34 - return "https://" + hostname 26 26 + // If it's a DID, resolve via identity directory 27 27 + if strings.HasPrefix(holdIdentifier, "did:") { 28 28 + return ResolveHoldDIDToURL(ctx, holdIdentifier) 35 29 } 36 30 37 31 // Fallback: assume it's a hostname and use HTTPS 38 38 - return "https://" + holdIdentifier 32 32 + return "https://" + holdIdentifier, nil 33 33 + } 34 34 + 35 35 + // ResolveHoldDIDToURL resolves a hold DID to its HTTP service endpoint. 36 36 + // Prefers the #atcr_hold service endpoint, falls back to #atproto_pds. 37 37 + // Uses the shared identity directory with cache TTL and event-driven invalidation. 38 38 + func ResolveHoldDIDToURL(ctx context.Context, did string) (string, error) { 39 39 + directory := GetDirectory() 40 40 + didParsed, err := syntax.ParseDID(did) 41 41 + if err != nil { 42 42 + return "", fmt.Errorf("invalid hold DID %q: %w", did, err) 43 43 + } 44 44 + 45 45 + ident, err := directory.LookupDID(ctx, didParsed) 46 46 + if err != nil { 47 47 + return "", fmt.Errorf("failed to resolve hold DID %s: %w", did, err) 48 48 + } 49 49 + 50 50 + // Prefer #atcr_hold service (hold-specific endpoint) 51 51 + if url := ident.GetServiceEndpoint("atcr_hold"); url != "" { 52 52 + return url, nil 53 53 + } 54 54 + 55 55 + // Fall back to #atproto_pds (hold publishes both with same URL) 56 56 + if url := ident.PDSEndpoint(); url != "" { 57 57 + return url, nil 58 58 + } 59 59 + 60 60 + return "", fmt.Errorf("no hold or PDS service endpoint found for DID %s", did) 39 61 } 40 62 41 63 // ResolveDIDToPDS resolves a DID to its PDS endpoint.

+48 -89

pkg/atproto/resolver_test.go

··· 7 7 ) 8 8 9 9 func TestResolveHoldURL(t *testing.T) { 10 10 + ctx := context.Background() 11 11 + 12 12 + // URL passthrough and hostname fallback tests (no network needed) 10 13 tests := []struct { 11 14 name string 12 15 holdIdentifier string ··· 39 42 want: "http://hold.example.com/some/path", 40 43 }, 41 44 42 42 - // did:web to HTTPS (domain names) 43 43 - { 44 44 - name: "did:web domain to https", 45 45 - holdIdentifier: "did:web:hold01.atcr.io", 46 46 - want: "https://hold01.atcr.io", 47 47 - }, 48 48 - { 49 49 - name: "did:web subdomain to https", 50 50 - holdIdentifier: "did:web:my-hold.example.com", 51 51 - want: "https://my-hold.example.com", 52 52 - }, 53 53 - { 54 54 - name: "did:web simple domain to https", 55 55 - holdIdentifier: "did:web:example.com", 56 56 - want: "https://example.com", 57 57 - }, 58 58 - 59 59 - // did:web to HTTP (ports) 60 60 - { 61 61 - name: "did:web with port to http", 62 62 - holdIdentifier: "did:web:172.28.0.3:8080", 63 63 - want: "http://172.28.0.3:8080", 64 64 - }, 65 65 - { 66 66 - name: "did:web domain with port to http", 67 67 - holdIdentifier: "did:web:hold.example.com:8080", 68 68 - want: "http://hold.example.com:8080", 69 69 - }, 70 70 - { 71 71 - name: "did:web localhost with port to http", 72 72 - holdIdentifier: "did:web:localhost:8080", 73 73 - want: "http://localhost:8080", 74 74 - }, 75 75 - 76 76 - // did:web to HTTP (localhost) 77 77 - { 78 78 - name: "did:web localhost to http", 79 79 - holdIdentifier: "did:web:localhost", 80 80 - want: "http://localhost", 81 81 - }, 82 82 - 83 83 - // did:web to HTTP (127.0.0.1) 84 84 - { 85 85 - name: "did:web 127.0.0.1 to http", 86 86 - holdIdentifier: "did:web:127.0.0.1", 87 87 - want: "http://127.0.0.1", 88 88 - }, 89 89 - { 90 90 - name: "did:web 127.0.0.1 with port to http", 91 91 - holdIdentifier: "did:web:127.0.0.1:8080", 92 92 - want: "http://127.0.0.1:8080", 93 93 - }, 94 94 - 95 95 - // did:web to HTTP (IP addresses) 96 96 - { 97 97 - name: "did:web IPv4 address to http", 98 98 - holdIdentifier: "did:web:192.168.1.1", 99 99 - want: "http://192.168.1.1", 100 100 - }, 101 101 - { 102 102 - name: "did:web IPv4 with port to http", 103 103 - holdIdentifier: "did:web:10.0.0.5:3000", 104 104 - want: "http://10.0.0.5:3000", 105 105 - }, 106 106 - { 107 107 - name: "did:web private IP to http", 108 108 - holdIdentifier: "did:web:172.16.0.1", 109 109 - want: "http://172.16.0.1", 110 110 - }, 111 111 - 112 112 - // Fallback behavior (plain hostname) 45 45 + // Fallback behavior (plain hostname — not a DID, not a URL) 113 46 { 114 47 name: "plain hostname fallback to https", 115 48 holdIdentifier: "hold.example.com", ··· 127 60 holdIdentifier: "", 128 61 want: "https://", 129 62 }, 130 130 - { 131 131 - name: "did:web empty hostname", 132 132 - holdIdentifier: "did:web:", 133 133 - want: "https://", 134 134 - }, 135 135 - { 136 136 - name: "just did:web prefix", 137 137 - holdIdentifier: "did:web", 138 138 - want: "https://did:web", 139 139 - }, 140 63 } 141 64 142 65 for _, tt := range tests { 143 66 t.Run(tt.name, func(t *testing.T) { 144 144 - got := ResolveHoldURL(tt.holdIdentifier) 67 67 + got, err := ResolveHoldURL(ctx, tt.holdIdentifier) 68 68 + if err != nil { 69 69 + t.Errorf("ResolveHoldURL(%q) unexpected error: %v", tt.holdIdentifier, err) 70 70 + } 145 71 if got != tt.want { 146 72 t.Errorf("ResolveHoldURL(%q) = %q, want %q", tt.holdIdentifier, got, tt.want) 147 73 } ··· 149 75 } 150 76 } 151 77 152 152 - // TestResolveHoldURLRoundTrip tests that converting back and forth works 78 78 + // TestResolveHoldURLDIDRequiresNetwork tests that DID resolution requires 79 79 + // the identity directory (which needs network access) 80 80 + func TestResolveHoldURLDIDRequiresNetwork(t *testing.T) { 81 81 + ctx := context.Background() 82 82 + 83 83 + // did:web and did:plc both go through the identity directory now. 84 84 + // Without a real server, these should return errors. 85 85 + tests := []struct { 86 86 + name string 87 87 + holdIdentifier string 88 88 + }{ 89 89 + {"did:web nonexistent", "did:web:nonexistent.example.invalid"}, 90 90 + {"did:plc nonexistent", "did:plc:nonexistent000000000000"}, 91 91 + } 92 92 + 93 93 + for _, tt := range tests { 94 94 + t.Run(tt.name, func(t *testing.T) { 95 95 + _, err := ResolveHoldURL(ctx, tt.holdIdentifier) 96 96 + if err == nil { 97 97 + t.Errorf("ResolveHoldURL(%q) expected error for unresolvable DID, got nil", tt.holdIdentifier) 98 98 + } 99 99 + }) 100 100 + } 101 101 + } 102 102 + 103 103 + // TestResolveHoldURLRoundTrip tests that URL passthrough is idempotent 153 104 func TestResolveHoldURLRoundTrip(t *testing.T) { 105 105 + ctx := context.Background() 106 106 + 154 107 tests := []struct { 155 108 name string 156 109 input string 157 110 wantHTTP bool // true if result should be http, false for https 158 111 }{ 159 159 - {"domain to https and idempotent", "did:web:hold.atcr.io", false}, 160 160 - {"IP to http and idempotent", "did:web:192.168.1.1", true}, 161 161 - {"port to http and idempotent", "did:web:example.com:8080", true}, 112 112 + {"http URL idempotent", "http://192.168.1.1", true}, 113 113 + {"https URL idempotent", "https://hold.atcr.io", false}, 114 114 + {"http URL with port idempotent", "http://example.com:8080", true}, 162 115 } 163 116 164 117 for _, tt := range tests { 165 118 t.Run(tt.name, func(t *testing.T) { 166 166 - // First conversion 167 167 - first := ResolveHoldURL(tt.input) 119 119 + // First conversion (URL passthrough) 120 120 + first, err := ResolveHoldURL(ctx, tt.input) 121 121 + if err != nil { 122 122 + t.Fatalf("First ResolveHoldURL(%q) error: %v", tt.input, err) 123 123 + } 168 124 169 125 // Second conversion (should be idempotent since output is URL) 170 170 - second := ResolveHoldURL(first) 126 126 + second, err := ResolveHoldURL(ctx, first) 127 127 + if err != nil { 128 128 + t.Fatalf("Second ResolveHoldURL(%q) error: %v", first, err) 129 129 + } 171 130 172 131 if first != second { 173 132 t.Errorf("ResolveHoldURL is not idempotent: first=%q, second=%q", first, second)

+8 -2

pkg/auth/hold_remote.go

··· 222 222 // fetchCaptainRecordFromXRPC queries the hold's XRPC endpoint for captain record 223 223 func (a *RemoteHoldAuthorizer) fetchCaptainRecordFromXRPC(ctx context.Context, holdDID string) (*atproto.CaptainRecord, error) { 224 224 // Resolve DID to URL 225 225 - holdURL := atproto.ResolveHoldURL(holdDID) 225 225 + holdURL, err := atproto.ResolveHoldURL(ctx, holdDID) 226 226 + if err != nil { 227 227 + return nil, fmt.Errorf("failed to resolve hold URL: %w", err) 228 228 + } 226 229 227 230 // Build XRPC request URL 228 231 // GET /xrpc/com.atproto.repo.getRecord?repo={did}&collection=io.atcr.hold.captain&rkey=self ··· 327 330 // Uses O(1) lookup via getRecord with hash-based rkey instead of pagination 328 331 func (a *RemoteHoldAuthorizer) isCrewMemberNoCache(ctx context.Context, holdDID, userDID string) (bool, error) { 329 332 // Resolve DID to URL 330 330 - holdURL := atproto.ResolveHoldURL(holdDID) 333 333 + holdURL, err := atproto.ResolveHoldURL(ctx, holdDID) 334 334 + if err != nil { 335 335 + return false, fmt.Errorf("failed to resolve hold URL: %w", err) 336 336 + } 331 337 332 338 // Generate deterministic rkey from member DID (hash-based) 333 339 rkey := atproto.CrewRecordKey(userDID)