+34

.sqlx/query-9bd55935253b57b1b7e2d2bf69509e571af810234fa61368f58dd72e1d111cc5.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "SELECT id, did, migrated_to_pds FROM users WHERE handle = $1", 4 4 + "describe": { 5 5 + "columns": [ 6 6 + { 7 7 + "ordinal": 0, 8 8 + "name": "id", 9 9 + "type_info": "Uuid" 10 10 + }, 11 11 + { 12 12 + "ordinal": 1, 13 13 + "name": "did", 14 14 + "type_info": "Text" 15 15 + }, 16 16 + { 17 17 + "ordinal": 2, 18 18 + "name": "migrated_to_pds", 19 19 + "type_info": "Text" 20 20 + } 21 21 + ], 22 22 + "parameters": { 23 23 + "Left": [ 24 24 + "Text" 25 25 + ] 26 26 + }, 27 27 + "nullable": [ 28 28 + false, 29 29 + false, 30 30 + true 31 31 + ] 32 32 + }, 33 33 + "hash": "9bd55935253b57b1b7e2d2bf69509e571af810234fa61368f58dd72e1d111cc5" 34 34 + }

-28

.sqlx/query-b2c53e6a278c4549c99a5b98cc7ca77fc1e9cd39a591c1d8ec1ca41adfffa3a6.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "SELECT id, did FROM users WHERE handle = $1", 4 4 - "describe": { 5 5 - "columns": [ 6 6 - { 7 7 - "ordinal": 0, 8 8 - "name": "id", 9 9 - "type_info": "Uuid" 10 10 - }, 11 11 - { 12 12 - "ordinal": 1, 13 13 - "name": "did", 14 14 - "type_info": "Text" 15 15 - } 16 16 - ], 17 17 - "parameters": { 18 18 - "Left": [ 19 19 - "Text" 20 20 - ] 21 21 - }, 22 22 - "nullable": [ 23 23 - false, 24 24 - false 25 25 - ] 26 26 - }, 27 27 - "hash": "b2c53e6a278c4549c99a5b98cc7ca77fc1e9cd39a591c1d8ec1ca41adfffa3a6" 28 28 - }

+10

Cargo.lock

··· 930 930 ] 931 931 932 932 [[package]] 933 933 + name = "bs58" 934 934 + version = "0.5.1" 935 935 + source = "registry+https://github.com/rust-lang/crates.io-index" 936 936 + checksum = "bf88ba1141d185c399bee5288d850d63b8369520c1eafc32a0430b5b6c287bf4" 937 937 + dependencies = [ 938 938 + "tinyvec", 939 939 + ] 940 940 + 941 941 + [[package]] 933 942 name = "btree-range-map" 934 943 version = "0.7.2" 935 944 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 6175 6184 "base32", 6176 6185 "base64 0.22.1", 6177 6186 "bcrypt", 6187 6187 + "bs58", 6178 6188 "bytes", 6179 6189 "chrono", 6180 6190 "cid",

+1

Cargo.toml

··· 55 55 hickory-resolver = { version = "0.24", features = ["tokio-runtime"] } 56 56 metrics = "0.24" 57 57 metrics-exporter-prometheus = { version = "0.16", default-features = false, features = ["http-listener"] } 58 58 + bs58 = "0.5.1" 58 59 [features] 59 60 external-infra = [] 60 61 [dev-dependencies]

+30 -14

TODO.md

··· 9 9 - [ ] Unique "brand" style both unauthed and authed 10 10 - [ ] Better documentation on how to sub out the entire frontend for whatever the users want 11 11 12 12 + ### Passkeys and 2FA 13 13 + Modern passwordless authentication using WebAuthn/FIDO2, plus TOTP for defense in depth. 14 14 + 15 15 + - [ ] passkeys table (id, did, credential_id, public_key, sign_count, created_at, last_used, friendly_name) 16 16 + - [ ] user_totp table (did, secret_encrypted, verified, created_at, last_used) 17 17 + - [ ] WebAuthn registration challenge generation and attestation verification 18 18 + - [ ] TOTP secret generation with QR code setup flow 19 19 + - [ ] Backup codes (hashed, one-time use) with recovery flow 20 20 + - [ ] OAuth authorize flow: password -> 2FA (if enabled) -> passkey (as alternative) 21 21 + - [ ] Passkey-only account creation (no password) 22 22 + - [ ] Settings UI for managing passkeys, TOTP, backup codes 23 23 + - [ ] Trusted devices option (remember this browser) 24 24 + - [ ] Rate limit 2FA attempts 25 25 + - [ ] Re-auth for sensitive actions (email change, adding new auth methods) 26 26 + 12 27 ### Delegated accounts 13 28 Accounts controlled by other accounts rather than having their own password. When logging in as a delegated account, OAuth asks you to authenticate with a linked controller account. Uses OAuth scopes as the permission model. 14 29 ··· 26 41 - [ ] Log all actions with both actor DID and controller DID 27 42 - [ ] Audit log view for delegated account owners 28 43 29 29 - ### Passkeys and 2FA 30 30 - Modern passwordless authentication using WebAuthn/FIDO2, plus TOTP for defense in depth. 44 44 + ### Migration tool 45 45 + Seamless account migration built into the UI, inspired by pdsmoover. Users shouldn't need external tools or brain surgery on half-done account states. 31 46 32 32 - - [ ] passkeys table (id, did, credential_id, public_key, sign_count, created_at, last_used, friendly_name) 33 33 - - [ ] user_totp table (did, secret_encrypted, verified, created_at, last_used) 34 34 - - [ ] WebAuthn registration challenge generation and attestation verification 35 35 - - [ ] TOTP secret generation with QR code setup flow 36 36 - - [ ] Backup codes (hashed, one-time use) with recovery flow 37 37 - - [ ] OAuth authorize flow: password → 2FA (if enabled) → passkey (as alternative) 38 38 - - [ ] Passkey-only account creation (no password) 39 39 - - [ ] Settings UI for managing passkeys, TOTP, backup codes 40 40 - - [ ] Trusted devices option (remember this browser) 41 41 - - [ ] Rate limit 2FA attempts 42 42 - - [ ] Re-auth for sensitive actions (email change, adding new auth methods) 47 47 + - [ ] Add `migratingTo` parameter to `deactivateAccount` endpoint 48 48 + - [ ] For self-hosted did:web users: set `migrated_to_pds`, update DID doc serviceEndpoint 49 49 + - [ ] "Migrated" account state for self-hosted did:web: can authenticate but no repo operations 50 50 + - [ ] Migrated did:web user UI: minimal dashboard with "update forwarding PDS" setting, or full migration wizard to handle PDS 2 -> PDS 3 moves automatically 51 51 + - [ ] Outbound UI wizard: new PDS URL -> export repo -> guide account creation -> complete migration 52 52 + - [ ] Inbound UI wizard: login to old PDS -> choose handle -> import -> PLC token flow 53 53 + - [ ] Support `createAccount` with existing DID + service auth token 54 54 + - [ ] Progress tracking with resume capability 55 55 + - [ ] Scheduled automatic backups (CAR export) 56 56 + - [ ] One-click restore from backup 43 57 44 58 ### Plugin system 45 59 Extensible architecture allowing third-party plugins to add functionality, like minecraft mods or browser extensions. ··· 74 88 75 89 ## Completed 76 90 77 77 - Core ATProto: Health, describeServer, all session endpoints, full repo CRUD, applyWrites, blob upload, importRepo, firehose with cursor replay, CAR export, blob sync, crawler notifications, handle resolution, PLC operations, did:web, full admin API, moderation reports. 91 91 + Core ATProto: Health, describeServer, all session endpoints, full repo CRUD, applyWrites, blob upload, importRepo, firehose with cursor replay, CAR export, blob sync, crawler notifications, handle resolution, PLC operations, full admin API, moderation reports. 92 92 + 93 93 + did:web support: Self-hosted did:web (subdomain format `did:web:handle.pds.com`), external/BYOD did:web, DID document serving via `/.well-known/did.json`, migration tracking for did:web users who leave (serviceEndpoint redirect), clear registration warnings about did:web trade-offs vs did:plc. 78 94 79 95 OAuth 2.1: Authorization server metadata, JWKS, PAR, authorize endpoint with login UI, token endpoint (auth code + refresh), revocation, introspection, DPoP, PKCE S256, client metadata validation, private_key_jwt verification. 80 96

+6

frontend/src/lib/api.ts

··· 71 71 72 72 export type VerificationChannel = 'email' | 'discord' | 'telegram' | 'signal' 73 73 74 74 + export type DidType = 'plc' | 'web' | 'web-external' 75 75 + 74 76 export interface CreateAccountParams { 75 77 handle: string 76 78 email: string 77 79 password: string 78 80 inviteCode?: string 81 81 + didType?: DidType 82 82 + did?: string 79 83 verificationChannel?: VerificationChannel 80 84 discordId?: string 81 85 telegramUsername?: string ··· 109 113 email: params.email, 110 114 password: params.password, 111 115 inviteCode: params.inviteCode, 116 116 + didType: params.didType, 117 117 + did: params.did, 112 118 verificationChannel: params.verificationChannel, 113 119 discordId: params.discordId, 114 120 telegramUsername: params.telegramUsername,

+141 -1

frontend/src/routes/Register.svelte

··· 1 1 <script lang="ts"> 2 2 import { register, getAuthState } from '../lib/auth.svelte' 3 3 import { navigate } from '../lib/router.svelte' 4 4 - import { api, ApiError, type VerificationChannel } from '../lib/api' 4 4 + import { api, ApiError, type VerificationChannel, type DidType } from '../lib/api' 5 5 6 6 const STORAGE_KEY = 'tranquil_pds_pending_verification' 7 7 ··· 14 14 let discordId = $state('') 15 15 let telegramUsername = $state('') 16 16 let signalNumber = $state('') 17 17 + let didType = $state<DidType>('plc') 18 18 + let externalDid = $state('') 17 19 let submitting = $state(false) 18 20 let error = $state<string | null>(null) 19 21 let serverInfo = $state<{ ··· 56 58 if (serverInfo?.inviteCodeRequired && !inviteCode.trim()) { 57 59 return 'Invite code is required' 58 60 } 61 61 + if (didType === 'web-external') { 62 62 + if (!externalDid.trim()) return 'External did:web is required' 63 63 + if (!externalDid.trim().startsWith('did:web:')) return 'External DID must start with did:web:' 64 64 + } 59 65 switch (verificationChannel) { 60 66 case 'email': 61 67 if (!email.trim()) return 'Email is required for email verification' ··· 88 94 email: email.trim(), 89 95 password, 90 96 inviteCode: inviteCode.trim() || undefined, 97 97 + didType, 98 98 + did: didType === 'web-external' ? externalDid.trim() : undefined, 91 99 verificationChannel, 92 100 discordId: discordId.trim() || undefined, 93 101 telegramUsername: telegramUsername.trim() || undefined, ··· 171 179 required 172 180 /> 173 181 </div> 182 182 + <fieldset class="identity-section"> 183 183 + <legend>Identity Type</legend> 184 184 + <p class="section-hint">Choose how your decentralized identity will be managed.</p> 185 185 + <div class="radio-group"> 186 186 + <label class="radio-label"> 187 187 + <input 188 188 + type="radio" 189 189 + name="didType" 190 190 + value="plc" 191 191 + bind:group={didType} 192 192 + disabled={submitting} 193 193 + /> 194 194 + <span class="radio-content"> 195 195 + <strong>did:plc</strong> (Recommended) 196 196 + <span class="radio-hint">Portable identity managed by PLC Directory</span> 197 197 + </span> 198 198 + </label> 199 199 + <label class="radio-label"> 200 200 + <input 201 201 + type="radio" 202 202 + name="didType" 203 203 + value="web" 204 204 + bind:group={didType} 205 205 + disabled={submitting} 206 206 + /> 207 207 + <span class="radio-content"> 208 208 + <strong>did:web</strong> 209 209 + <span class="radio-hint">Identity hosted on this PDS (read warning below)</span> 210 210 + </span> 211 211 + </label> 212 212 + <label class="radio-label"> 213 213 + <input 214 214 + type="radio" 215 215 + name="didType" 216 216 + value="web-external" 217 217 + bind:group={didType} 218 218 + disabled={submitting} 219 219 + /> 220 220 + <span class="radio-content"> 221 221 + <strong>did:web (BYOD)</strong> 222 222 + <span class="radio-hint">Bring your own domain</span> 223 223 + </span> 224 224 + </label> 225 225 + </div> 226 226 + {#if didType === 'web'} 227 227 + <div class="did-web-warning"> 228 228 + <strong>Important: Understand the trade-offs</strong> 229 229 + <ul> 230 230 + <li><strong>Permanent tie to this PDS:</strong> Your identity will be <code>did:web:yourhandle.{serverInfo?.availableUserDomains?.[0] || 'this-pds.com'}</code>. Even if you migrate to another PDS later, this server must continue hosting your DID document.</li> 231 231 + <li><strong>No recovery mechanism:</strong> Unlike did:plc, did:web has no rotation keys. If this PDS goes offline permanently, your identity cannot be recovered.</li> 232 232 + <li><strong>We commit to you:</strong> If you migrate away, we will continue serving a minimal DID document pointing to your new PDS. Your identity will remain functional.</li> 233 233 + <li><strong>Recommendation:</strong> Choose did:plc unless you have a specific reason to prefer did:web.</li> 234 234 + </ul> 235 235 + </div> 236 236 + {/if} 237 237 + {#if didType === 'web-external'} 238 238 + <div class="field"> 239 239 + <label for="external-did">Your did:web</label> 240 240 + <input 241 241 + id="external-did" 242 242 + type="text" 243 243 + bind:value={externalDid} 244 244 + placeholder="did:web:yourdomain.com" 245 245 + disabled={submitting} 246 246 + required 247 247 + /> 248 248 + <p class="hint">Your domain must serve a valid DID document at /.well-known/did.json pointing to this PDS</p> 249 249 + </div> 250 250 + {/if} 251 251 + </fieldset> 174 252 <fieldset class="verification-section"> 175 253 <legend>Contact Method</legend> 176 254 <p class="section-hint">Choose how you'd like to verify your account and receive notifications. You only need one.</p> ··· 323 401 padding: 0 0.5rem; 324 402 color: var(--text-primary); 325 403 } 404 404 + .identity-section { 405 405 + border: 1px solid var(--border-color-light); 406 406 + border-radius: 6px; 407 407 + padding: 1rem; 408 408 + margin: 0.5rem 0; 409 409 + } 410 410 + .identity-section legend { 411 411 + font-weight: 600; 412 412 + padding: 0 0.5rem; 413 413 + color: var(--text-primary); 414 414 + } 415 415 + .radio-group { 416 416 + display: flex; 417 417 + flex-direction: column; 418 418 + gap: 0.75rem; 419 419 + } 420 420 + .radio-label { 421 421 + display: flex; 422 422 + align-items: flex-start; 423 423 + gap: 0.5rem; 424 424 + cursor: pointer; 425 425 + } 426 426 + .radio-label input[type="radio"] { 427 427 + margin-top: 0.25rem; 428 428 + } 429 429 + .radio-content { 430 430 + display: flex; 431 431 + flex-direction: column; 432 432 + gap: 0.125rem; 433 433 + } 434 434 + .radio-hint { 435 435 + font-size: 0.75rem; 436 436 + color: var(--text-secondary); 437 437 + } 326 438 .section-hint { 327 439 font-size: 0.8rem; 328 440 color: var(--text-secondary); 329 441 margin: 0 0 1rem 0; 442 442 + } 443 443 + .did-web-warning { 444 444 + margin-top: 1rem; 445 445 + padding: 1rem; 446 446 + background: var(--warning-bg, #fff3cd); 447 447 + border: 1px solid var(--warning-border, #ffc107); 448 448 + border-radius: 6px; 449 449 + font-size: 0.875rem; 450 450 + } 451 451 + .did-web-warning strong { 452 452 + color: var(--warning-text, #856404); 453 453 + } 454 454 + .did-web-warning ul { 455 455 + margin: 0.75rem 0 0 0; 456 456 + padding-left: 1.25rem; 457 457 + } 458 458 + .did-web-warning li { 459 459 + margin-bottom: 0.5rem; 460 460 + line-height: 1.4; 461 461 + } 462 462 + .did-web-warning li:last-child { 463 463 + margin-bottom: 0; 464 464 + } 465 465 + .did-web-warning code { 466 466 + background: rgba(0, 0, 0, 0.1); 467 467 + padding: 0.125rem 0.25rem; 468 468 + border-radius: 3px; 469 469 + font-size: 0.8rem; 330 470 } 331 471 button { 332 472 padding: 0.75rem;

+2

migrations/20251222_add_did_web_migration_tracking.sql

··· 1 1 + ALTER TABLE users ADD COLUMN migrated_to_pds TEXT; 2 2 + ALTER TABLE users ADD COLUMN migrated_at TIMESTAMPTZ;

+115 -71

src/api/identity/account.rs

··· 41 41 pub password: String, 42 42 pub invite_code: Option<String>, 43 43 pub did: Option<String>, 44 44 + pub did_type: Option<String>, 44 45 pub signing_key: Option<String>, 45 46 pub verification_channel: Option<String>, 46 47 pub discord_id: Option<String>, ··· 268 269 .into_response(); 269 270 } 270 271 }; 271 271 - let did = if let Some(d) = &input.did { 272 272 - if d.trim().is_empty() { 273 273 - let rotation_key = std::env::var("PLC_ROTATION_KEY") 274 274 - .unwrap_or_else(|_| signing_key_to_did_key(&signing_key)); 275 275 - let genesis_result = match create_genesis_operation( 276 276 - &signing_key, 277 277 - &rotation_key, 278 278 - &full_handle, 279 279 - &pds_endpoint, 280 280 - ) { 281 281 - Ok(r) => r, 282 282 - Err(e) => { 283 283 - error!("Error creating PLC genesis operation: {:?}", e); 272 272 + let did_type = input.did_type.as_deref().unwrap_or("plc"); 273 273 + let did = match did_type { 274 274 + "web" => { 275 275 + let subdomain_host = format!("{}.{}", input.handle, hostname); 276 276 + let encoded_subdomain = subdomain_host.replace(':', "%3A"); 277 277 + let self_hosted_did = format!("did:web:{}", encoded_subdomain); 278 278 + info!(did = %self_hosted_did, "Creating self-hosted did:web account (subdomain)"); 279 279 + self_hosted_did 280 280 + } 281 281 + "web-external" => { 282 282 + let d = match &input.did { 283 283 + Some(d) if !d.trim().is_empty() => d, 284 284 + _ => { 284 285 return ( 285 285 - StatusCode::INTERNAL_SERVER_ERROR, 286 286 - Json(json!({"error": "InternalError", "message": "Failed to create PLC operation"})), 286 286 + StatusCode::BAD_REQUEST, 287 287 + Json(json!({"error": "InvalidRequest", "message": "External did:web requires the 'did' field to be provided"})), 287 288 ) 288 289 .into_response(); 289 290 } 290 291 }; 291 291 - let plc_client = PlcClient::new(None); 292 292 - if let Err(e) = plc_client 293 293 - .send_operation(&genesis_result.did, &genesis_result.signed_operation) 294 294 - .await 295 295 - { 296 296 - error!("Failed to submit PLC genesis operation: {:?}", e); 292 292 + if !d.starts_with("did:web:") { 297 293 return ( 298 298 - StatusCode::BAD_GATEWAY, 299 299 - Json(json!({ 300 300 - "error": "UpstreamError", 301 301 - "message": format!("Failed to register DID with PLC directory: {}", e) 302 302 - })), 294 294 + StatusCode::BAD_REQUEST, 295 295 + Json( 296 296 + json!({"error": "InvalidDid", "message": "External DID must be a did:web"}), 297 297 + ), 303 298 ) 304 299 .into_response(); 305 300 } 306 306 - info!(did = %genesis_result.did, "Successfully registered DID with PLC directory"); 307 307 - genesis_result.did 308 308 - } else if d.starts_with("did:web:") { 309 301 if let Err(e) = verify_did_web(d, &hostname, &input.handle).await { 310 302 return ( 311 303 StatusCode::BAD_REQUEST, ··· 313 305 ) 314 306 .into_response(); 315 307 } 316 316 - d.clone() 317 317 - } else if d.starts_with("did:plc:") && is_migration { 308 308 + info!(did = %d, "Creating external did:web account"); 318 309 d.clone() 319 319 - } else { 320 320 - return ( 321 321 - StatusCode::BAD_REQUEST, 322 322 - Json(json!({"error": "InvalidDid", "message": "Only did:web DIDs can be provided; leave empty for did:plc. For migration with existing did:plc, provide service auth."})), 323 323 - ) 324 324 - .into_response(); 325 310 } 326 326 - } else { 327 327 - let rotation_key = std::env::var("PLC_ROTATION_KEY") 328 328 - .unwrap_or_else(|_| signing_key_to_did_key(&signing_key)); 329 329 - let genesis_result = match create_genesis_operation( 330 330 - &signing_key, 331 331 - &rotation_key, 332 332 - &full_handle, 333 333 - &pds_endpoint, 334 334 - ) { 335 335 - Ok(r) => r, 336 336 - Err(e) => { 337 337 - error!("Error creating PLC genesis operation: {:?}", e); 338 338 - return ( 339 339 - StatusCode::INTERNAL_SERVER_ERROR, 340 340 - Json(json!({"error": "InternalError", "message": "Failed to create PLC operation"})), 341 341 - ) 342 342 - .into_response(); 311 311 + _ => { 312 312 + if let Some(d) = &input.did { 313 313 + if d.starts_with("did:plc:") && is_migration { 314 314 + info!(did = %d, "Migration with existing did:plc"); 315 315 + d.clone() 316 316 + } else if d.starts_with("did:web:") { 317 317 + if let Err(e) = verify_did_web(d, &hostname, &input.handle).await { 318 318 + return ( 319 319 + StatusCode::BAD_REQUEST, 320 320 + Json(json!({"error": "InvalidDid", "message": e})), 321 321 + ) 322 322 + .into_response(); 323 323 + } 324 324 + d.clone() 325 325 + } else if !d.trim().is_empty() { 326 326 + return ( 327 327 + StatusCode::BAD_REQUEST, 328 328 + Json(json!({"error": "InvalidDid", "message": "Only did:web DIDs can be provided; leave empty for did:plc. For migration with existing did:plc, provide service auth."})), 329 329 + ) 330 330 + .into_response(); 331 331 + } else { 332 332 + let rotation_key = std::env::var("PLC_ROTATION_KEY") 333 333 + .unwrap_or_else(|_| signing_key_to_did_key(&signing_key)); 334 334 + let genesis_result = match create_genesis_operation( 335 335 + &signing_key, 336 336 + &rotation_key, 337 337 + &full_handle, 338 338 + &pds_endpoint, 339 339 + ) { 340 340 + Ok(r) => r, 341 341 + Err(e) => { 342 342 + error!("Error creating PLC genesis operation: {:?}", e); 343 343 + return ( 344 344 + StatusCode::INTERNAL_SERVER_ERROR, 345 345 + Json(json!({"error": "InternalError", "message": "Failed to create PLC operation"})), 346 346 + ) 347 347 + .into_response(); 348 348 + } 349 349 + }; 350 350 + let plc_client = PlcClient::new(None); 351 351 + if let Err(e) = plc_client 352 352 + .send_operation(&genesis_result.did, &genesis_result.signed_operation) 353 353 + .await 354 354 + { 355 355 + error!("Failed to submit PLC genesis operation: {:?}", e); 356 356 + return ( 357 357 + StatusCode::BAD_GATEWAY, 358 358 + Json(json!({ 359 359 + "error": "UpstreamError", 360 360 + "message": format!("Failed to register DID with PLC directory: {}", e) 361 361 + })), 362 362 + ) 363 363 + .into_response(); 364 364 + } 365 365 + info!(did = %genesis_result.did, "Successfully registered DID with PLC directory"); 366 366 + genesis_result.did 367 367 + } 368 368 + } else { 369 369 + let rotation_key = std::env::var("PLC_ROTATION_KEY") 370 370 + .unwrap_or_else(|_| signing_key_to_did_key(&signing_key)); 371 371 + let genesis_result = match create_genesis_operation( 372 372 + &signing_key, 373 373 + &rotation_key, 374 374 + &full_handle, 375 375 + &pds_endpoint, 376 376 + ) { 377 377 + Ok(r) => r, 378 378 + Err(e) => { 379 379 + error!("Error creating PLC genesis operation: {:?}", e); 380 380 + return ( 381 381 + StatusCode::INTERNAL_SERVER_ERROR, 382 382 + Json(json!({"error": "InternalError", "message": "Failed to create PLC operation"})), 383 383 + ) 384 384 + .into_response(); 385 385 + } 386 386 + }; 387 387 + let plc_client = PlcClient::new(None); 388 388 + if let Err(e) = plc_client 389 389 + .send_operation(&genesis_result.did, &genesis_result.signed_operation) 390 390 + .await 391 391 + { 392 392 + error!("Failed to submit PLC genesis operation: {:?}", e); 393 393 + return ( 394 394 + StatusCode::BAD_GATEWAY, 395 395 + Json(json!({ 396 396 + "error": "UpstreamError", 397 397 + "message": format!("Failed to register DID with PLC directory: {}", e) 398 398 + })), 399 399 + ) 400 400 + .into_response(); 401 401 + } 402 402 + info!(did = %genesis_result.did, "Successfully registered DID with PLC directory"); 403 403 + genesis_result.did 343 404 } 344 344 - }; 345 345 - let plc_client = PlcClient::new(None); 346 346 - if let Err(e) = plc_client 347 347 - .send_operation(&genesis_result.did, &genesis_result.signed_operation) 348 348 - .await 349 349 - { 350 350 - error!("Failed to submit PLC genesis operation: {:?}", e); 351 351 - return ( 352 352 - StatusCode::BAD_GATEWAY, 353 353 - Json(json!({ 354 354 - "error": "UpstreamError", 355 355 - "message": format!("Failed to register DID with PLC directory: {}", e) 356 356 - })), 357 357 - ) 358 358 - .into_response(); 359 405 } 360 360 - info!(did = %genesis_result.did, "Successfully registered DID with PLC directory"); 361 361 - genesis_result.did 362 406 }; 363 407 let mut tx = match state.db.begin().await { 364 408 Ok(tx) => tx,

+231 -68

src/api/identity/did.rs

··· 95 95 })) 96 96 } 97 97 98 98 - pub async fn well_known_did(State(_state): State<AppState>) -> impl IntoResponse { 98 98 + pub fn get_public_key_multibase(key_bytes: &[u8]) -> Result<String, &'static str> { 99 99 + let secret_key = SecretKey::from_slice(key_bytes).map_err(|_| "Invalid key length")?; 100 100 + let public_key = secret_key.public_key(); 101 101 + let compressed = public_key.to_encoded_point(true); 102 102 + let compressed_bytes = compressed.as_bytes(); 103 103 + let mut multicodec_key = vec![0xe7, 0x01]; 104 104 + multicodec_key.extend_from_slice(compressed_bytes); 105 105 + Ok(format!("z{}", bs58::encode(&multicodec_key).into_string())) 106 106 + } 107 107 + 108 108 + pub async fn well_known_did(State(state): State<AppState>, headers: HeaderMap) -> Response { 99 109 let hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string()); 100 100 - // Kinda for local dev, encode hostname if it contains port 110 110 + let host_header = headers 111 111 + .get("host") 112 112 + .and_then(|h| h.to_str().ok()) 113 113 + .unwrap_or(&hostname); 114 114 + let host_without_port = host_header.split(':').next().unwrap_or(host_header); 115 115 + let hostname_without_port = hostname.split(':').next().unwrap_or(&hostname); 116 116 + if host_without_port != hostname_without_port 117 117 + && host_without_port.ends_with(&format!(".{}", hostname_without_port)) 118 118 + { 119 119 + let handle = host_without_port 120 120 + .strip_suffix(&format!(".{}", hostname_without_port)) 121 121 + .unwrap_or(host_without_port); 122 122 + return serve_subdomain_did_doc(&state, handle, &hostname).await; 123 123 + } 101 124 let did = if hostname.contains(':') { 102 125 format!("did:web:{}", hostname.replace(':', "%3A")) 103 126 } else { ··· 112 135 "serviceEndpoint": format!("https://{}", hostname) 113 136 }] 114 137 })) 138 138 + .into_response() 139 139 + } 140 140 + 141 141 + async fn serve_subdomain_did_doc(state: &AppState, handle: &str, hostname: &str) -> Response { 142 142 + let user = sqlx::query!( 143 143 + "SELECT id, did, migrated_to_pds FROM users WHERE handle = $1", 144 144 + handle 145 145 + ) 146 146 + .fetch_optional(&state.db) 147 147 + .await; 148 148 + let (user_id, did, migrated_to_pds) = match user { 149 149 + Ok(Some(row)) => (row.id, row.did, row.migrated_to_pds), 150 150 + Ok(None) => { 151 151 + return (StatusCode::NOT_FOUND, Json(json!({"error": "NotFound"}))).into_response(); 152 152 + } 153 153 + Err(e) => { 154 154 + error!("DB Error: {:?}", e); 155 155 + return ( 156 156 + StatusCode::INTERNAL_SERVER_ERROR, 157 157 + Json(json!({"error": "InternalError"})), 158 158 + ) 159 159 + .into_response(); 160 160 + } 161 161 + }; 162 162 + if !did.starts_with("did:web:") { 163 163 + return ( 164 164 + StatusCode::NOT_FOUND, 165 165 + Json(json!({"error": "NotFound", "message": "User is not did:web"})), 166 166 + ) 167 167 + .into_response(); 168 168 + } 169 169 + let subdomain_host = format!("{}.{}", handle, hostname); 170 170 + let encoded_subdomain = subdomain_host.replace(':', "%3A"); 171 171 + let expected_self_hosted = format!("did:web:{}", encoded_subdomain); 172 172 + if did != expected_self_hosted { 173 173 + return ( 174 174 + StatusCode::NOT_FOUND, 175 175 + Json(json!({"error": "NotFound", "message": "External did:web - DID document hosted by user"})), 176 176 + ) 177 177 + .into_response(); 178 178 + } 179 179 + let key_row = sqlx::query!( 180 180 + "SELECT key_bytes, encryption_version FROM user_keys WHERE user_id = $1", 181 181 + user_id 182 182 + ) 183 183 + .fetch_optional(&state.db) 184 184 + .await; 185 185 + let key_bytes: Vec<u8> = match key_row { 186 186 + Ok(Some(row)) => match crate::config::decrypt_key(&row.key_bytes, row.encryption_version) { 187 187 + Ok(k) => k, 188 188 + Err(_) => { 189 189 + return ( 190 190 + StatusCode::INTERNAL_SERVER_ERROR, 191 191 + Json(json!({"error": "InternalError"})), 192 192 + ) 193 193 + .into_response(); 194 194 + } 195 195 + }, 196 196 + _ => { 197 197 + return ( 198 198 + StatusCode::INTERNAL_SERVER_ERROR, 199 199 + Json(json!({"error": "InternalError"})), 200 200 + ) 201 201 + .into_response(); 202 202 + } 203 203 + }; 204 204 + let public_key_multibase = match get_public_key_multibase(&key_bytes) { 205 205 + Ok(pk) => pk, 206 206 + Err(e) => { 207 207 + tracing::error!("Failed to generate public key multibase: {}", e); 208 208 + return ( 209 209 + StatusCode::INTERNAL_SERVER_ERROR, 210 210 + Json(json!({"error": "InternalError"})), 211 211 + ) 212 212 + .into_response(); 213 213 + } 214 214 + }; 215 215 + let full_handle = if handle.contains('.') { 216 216 + handle.to_string() 217 217 + } else { 218 218 + format!("{}.{}", handle, hostname) 219 219 + }; 220 220 + let service_endpoint = migrated_to_pds.unwrap_or_else(|| format!("https://{}", hostname)); 221 221 + Json(json!({ 222 222 + "@context": [ 223 223 + "https://www.w3.org/ns/did/v1", 224 224 + "https://w3id.org/security/multikey/v1", 225 225 + "https://w3id.org/security/suites/secp256k1-2019/v1" 226 226 + ], 227 227 + "id": did, 228 228 + "alsoKnownAs": [format!("at://{}", full_handle)], 229 229 + "verificationMethod": [{ 230 230 + "id": format!("{}#atproto", did), 231 231 + "type": "Multikey", 232 232 + "controller": did, 233 233 + "publicKeyMultibase": public_key_multibase 234 234 + }], 235 235 + "service": [{ 236 236 + "id": "#atproto_pds", 237 237 + "type": "AtprotoPersonalDataServer", 238 238 + "serviceEndpoint": service_endpoint 239 239 + }] 240 240 + })) 241 241 + .into_response() 115 242 } 116 243 117 244 pub async fn user_did_doc(State(state): State<AppState>, Path(handle): Path<String>) -> Response { 118 245 let hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string()); 119 119 - let user = sqlx::query!("SELECT id, did FROM users WHERE handle = $1", handle) 120 120 - .fetch_optional(&state.db) 121 121 - .await; 122 122 - let (user_id, did) = match user { 123 123 - Ok(Some(row)) => (row.id, row.did), 246 246 + let user = sqlx::query!( 247 247 + "SELECT id, did, migrated_to_pds FROM users WHERE handle = $1", 248 248 + handle 249 249 + ) 250 250 + .fetch_optional(&state.db) 251 251 + .await; 252 252 + let (user_id, did, migrated_to_pds) = match user { 253 253 + Ok(Some(row)) => (row.id, row.did, row.migrated_to_pds), 124 254 Ok(None) => { 125 255 return (StatusCode::NOT_FOUND, Json(json!({"error": "NotFound"}))).into_response(); 126 256 } ··· 140 270 ) 141 271 .into_response(); 142 272 } 273 273 + let encoded_hostname = hostname.replace(':', "%3A"); 274 274 + let old_path_format = format!("did:web:{}:u:{}", encoded_hostname, handle); 275 275 + let subdomain_host = format!("{}.{}", handle, hostname); 276 276 + let encoded_subdomain = subdomain_host.replace(':', "%3A"); 277 277 + let new_subdomain_format = format!("did:web:{}", encoded_subdomain); 278 278 + if did != old_path_format && did != new_subdomain_format { 279 279 + return ( 280 280 + StatusCode::NOT_FOUND, 281 281 + Json(json!({"error": "NotFound", "message": "External did:web - DID document hosted by user"})), 282 282 + ) 283 283 + .into_response(); 284 284 + } 143 285 let key_row = sqlx::query!( 144 286 "SELECT key_bytes, encryption_version FROM user_keys WHERE user_id = $1", 145 287 user_id ··· 165 307 .into_response(); 166 308 } 167 309 }; 168 168 - let jwk = match get_jwk(&key_bytes) { 169 169 - Ok(j) => j, 310 310 + let public_key_multibase = match get_public_key_multibase(&key_bytes) { 311 311 + Ok(pk) => pk, 170 312 Err(e) => { 171 171 - tracing::error!("Failed to generate JWK: {}", e); 313 313 + tracing::error!("Failed to generate public key multibase: {}", e); 172 314 return ( 173 315 StatusCode::INTERNAL_SERVER_ERROR, 174 316 Json(json!({"error": "InternalError"})), ··· 176 318 .into_response(); 177 319 } 178 320 }; 321 321 + let full_handle = if handle.contains('.') { 322 322 + handle.clone() 323 323 + } else { 324 324 + format!("{}.{}", handle, hostname) 325 325 + }; 326 326 + let service_endpoint = migrated_to_pds.unwrap_or_else(|| format!("https://{}", hostname)); 179 327 Json(json!({ 180 180 - "@context": ["https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/jws-2020/v1"], 328 328 + "@context": [ 329 329 + "https://www.w3.org/ns/did/v1", 330 330 + "https://w3id.org/security/multikey/v1", 331 331 + "https://w3id.org/security/suites/secp256k1-2019/v1" 332 332 + ], 181 333 "id": did, 182 182 - "alsoKnownAs": [format!("at://{}", handle)], 334 334 + "alsoKnownAs": [format!("at://{}", full_handle)], 183 335 "verificationMethod": [{ 184 336 "id": format!("{}#atproto", did), 185 185 - "type": "JsonWebKey2020", 337 337 + "type": "Multikey", 186 338 "controller": did, 187 187 - "publicKeyJwk": jwk 339 339 + "publicKeyMultibase": public_key_multibase 188 340 }], 189 341 "service": [{ 190 342 "id": "#atproto_pds", 191 343 "type": "AtprotoPersonalDataServer", 192 192 - "serviceEndpoint": format!("https://{}", hostname) 344 344 + "serviceEndpoint": service_endpoint 193 345 }] 194 194 - })).into_response() 346 346 + })) 347 347 + .into_response() 195 348 } 196 349 197 350 pub async fn verify_did_web(did: &str, hostname: &str, handle: &str) -> Result<(), String> { 351 351 + let subdomain_host = format!("{}.{}", handle, hostname); 352 352 + let encoded_subdomain = subdomain_host.replace(':', "%3A"); 353 353 + let expected_subdomain_did = format!("did:web:{}", encoded_subdomain); 354 354 + if did == expected_subdomain_did { 355 355 + return Ok(()); 356 356 + } 198 357 let expected_prefix = if hostname.contains(':') { 199 358 format!("did:web:{}", hostname.replace(':', "%3A")) 200 359 } else { ··· 204 363 let suffix = &did[expected_prefix.len()..]; 205 364 let expected_suffix = format!(":u:{}", handle); 206 365 if suffix == expected_suffix { 207 207 - Ok(()) 366 366 + return Ok(()); 208 367 } else { 209 209 - Err(format!( 368 368 + return Err(format!( 210 369 "Invalid DID path for this PDS. Expected {}", 211 370 expected_suffix 212 212 - )) 371 371 + )); 213 372 } 373 373 + } 374 374 + let parts: Vec<&str> = did.split(':').collect(); 375 375 + if parts.len() < 3 || parts[0] != "did" || parts[1] != "web" { 376 376 + return Err("Invalid did:web format".into()); 377 377 + } 378 378 + let domain_segment = parts[2]; 379 379 + let domain = domain_segment.replace("%3A", ":"); 380 380 + let scheme = if domain.starts_with("localhost") || domain.starts_with("127.0.0.1") { 381 381 + "http" 214 382 } else { 215 215 - let parts: Vec<&str> = did.split(':').collect(); 216 216 - if parts.len() < 3 || parts[0] != "did" || parts[1] != "web" { 217 217 - return Err("Invalid did:web format".into()); 218 218 - } 219 219 - let domain_segment = parts[2]; 220 220 - let domain = domain_segment.replace("%3A", ":"); 221 221 - let scheme = if domain.starts_with("localhost") || domain.starts_with("127.0.0.1") { 222 222 - "http" 223 223 - } else { 224 224 - "https" 225 225 - }; 226 226 - let url = if parts.len() == 3 { 227 227 - format!("{}://{}/.well-known/did.json", scheme, domain) 228 228 - } else { 229 229 - let path = parts[3..].join("/"); 230 230 - format!("{}://{}/{}/did.json", scheme, domain, path) 231 231 - }; 232 232 - let client = reqwest::Client::builder() 233 233 - .timeout(std::time::Duration::from_secs(5)) 234 234 - .build() 235 235 - .map_err(|e| format!("Failed to create client: {}", e))?; 236 236 - let resp = client 237 237 - .get(&url) 238 238 - .send() 239 239 - .await 240 240 - .map_err(|e| format!("Failed to fetch DID doc: {}", e))?; 241 241 - if !resp.status().is_success() { 242 242 - return Err(format!("Failed to fetch DID doc: HTTP {}", resp.status())); 243 243 - } 244 244 - let doc: serde_json::Value = resp 245 245 - .json() 246 246 - .await 247 247 - .map_err(|e| format!("Failed to parse DID doc: {}", e))?; 248 248 - let services = doc["service"] 249 249 - .as_array() 250 250 - .ok_or("No services found in DID doc")?; 251 251 - let pds_endpoint = format!("https://{}", hostname); 252 252 - let has_valid_service = services.iter().any(|s| { 253 253 - s["type"] == "AtprotoPersonalDataServer" && s["serviceEndpoint"] == pds_endpoint 254 254 - }); 255 255 - if has_valid_service { 256 256 - Ok(()) 257 257 - } else { 258 258 - Err(format!( 259 259 - "DID document does not list this PDS ({}) as AtprotoPersonalDataServer", 260 260 - pds_endpoint 261 261 - )) 262 262 - } 383 383 + "https" 384 384 + }; 385 385 + let url = if parts.len() == 3 { 386 386 + format!("{}://{}/.well-known/did.json", scheme, domain) 387 387 + } else { 388 388 + let path = parts[3..].join("/"); 389 389 + format!("{}://{}/{}/did.json", scheme, domain, path) 390 390 + }; 391 391 + let client = reqwest::Client::builder() 392 392 + .timeout(std::time::Duration::from_secs(5)) 393 393 + .build() 394 394 + .map_err(|e| format!("Failed to create client: {}", e))?; 395 395 + let resp = client 396 396 + .get(&url) 397 397 + .send() 398 398 + .await 399 399 + .map_err(|e| format!("Failed to fetch DID doc: {}", e))?; 400 400 + if !resp.status().is_success() { 401 401 + return Err(format!("Failed to fetch DID doc: HTTP {}", resp.status())); 402 402 + } 403 403 + let doc: serde_json::Value = resp 404 404 + .json() 405 405 + .await 406 406 + .map_err(|e| format!("Failed to parse DID doc: {}", e))?; 407 407 + let services = doc["service"] 408 408 + .as_array() 409 409 + .ok_or("No services found in DID doc")?; 410 410 + let pds_endpoint = format!("https://{}", hostname); 411 411 + let has_valid_service = services 412 412 + .iter() 413 413 + .any(|s| s["type"] == "AtprotoPersonalDataServer" && s["serviceEndpoint"] == pds_endpoint); 414 414 + if has_valid_service { 415 415 + Ok(()) 416 416 + } else { 417 417 + Err(format!( 418 418 + "DID document does not list this PDS ({}) as AtprotoPersonalDataServer", 419 419 + pds_endpoint 420 420 + )) 263 421 } 264 422 } 265 423 ··· 344 502 Err(_) => return ApiError::InternalError.into_response(), 345 503 }; 346 504 let did_key = signing_key_to_did_key(&signing_key); 505 505 + let rotation_keys = if auth_user.did.starts_with("did:web:") { 506 506 + vec![] 507 507 + } else { 508 508 + vec![did_key.clone()] 509 509 + }; 347 510 ( 348 511 StatusCode::OK, 349 512 Json(GetRecommendedDidCredentialsOutput { 350 350 - rotation_keys: vec![did_key.clone()], 513 513 + rotation_keys, 351 514 also_known_as: vec![format!("at://{}", full_handle)], 352 515 verification_methods: VerificationMethods { atproto: did_key }, 353 516 services: Services {

+6

src/api/identity/plc/sign.rs

··· 63 63 return e; 64 64 } 65 65 let did = &auth_user.did; 66 66 + if did.starts_with("did:web:") { 67 67 + return ApiError::InvalidRequest( 68 68 + "PLC operations are only valid for did:plc identities".into(), 69 69 + ) 70 70 + .into_response(); 71 71 + } 66 72 let token = match &input.token { 67 73 Some(t) => t, 68 74 None => {

+6

src/api/identity/plc/submit.rs

··· 42 42 return e; 43 43 } 44 44 let did = &auth_user.did; 45 45 + if did.starts_with("did:web:") { 46 46 + return ApiError::InvalidRequest( 47 47 + "PLC operations are only valid for did:plc identities".into(), 48 48 + ) 49 49 + .into_response(); 50 50 + } 45 51 if let Err(e) = validate_plc_operation(&input.operation) { 46 52 return ApiError::InvalidRequest(format!("Invalid operation: {}", e)).into_response(); 47 53 }

+324

tests/did_web.rs

··· 1 1 + mod common; 2 2 + use common::*; 3 3 + use reqwest::StatusCode; 4 4 + use serde_json::{Value, json}; 5 5 + use wiremock::matchers::{method, path}; 6 6 + use wiremock::{Mock, MockServer, ResponseTemplate}; 7 7 + 8 8 + #[tokio::test] 9 9 + async fn test_create_self_hosted_did_web() { 10 10 + let client = client(); 11 11 + let handle = format!("selfweb_{}", uuid::Uuid::new_v4()); 12 12 + let payload = json!({ 13 13 + "handle": handle, 14 14 + "email": format!("{}@example.com", handle), 15 15 + "password": "password", 16 16 + "didType": "web" 17 17 + }); 18 18 + let res = client 19 19 + .post(format!( 20 20 + "{}/xrpc/com.atproto.server.createAccount", 21 21 + base_url().await 22 22 + )) 23 23 + .json(&payload) 24 24 + .send() 25 25 + .await 26 26 + .expect("Failed to send request"); 27 27 + if res.status() != StatusCode::OK { 28 28 + let body: Value = res.json().await.unwrap_or(json!({"error": "parse failed"})); 29 29 + panic!("createAccount failed: {:?}", body); 30 30 + } 31 31 + let body: Value = res.json().await.expect("Response was not JSON"); 32 32 + let did = body["did"].as_str().expect("No DID in response"); 33 33 + assert!( 34 34 + did.starts_with("did:web:"), 35 35 + "DID should start with did:web:, got: {}", 36 36 + did 37 37 + ); 38 38 + assert!( 39 39 + did.contains(&handle), 40 40 + "DID should contain handle {}, got: {}", 41 41 + handle, 42 42 + did 43 43 + ); 44 44 + assert!( 45 45 + !did.contains(":u:"), 46 46 + "Self-hosted did:web should use subdomain format (no :u:), got: {}", 47 47 + did 48 48 + ); 49 49 + let jwt = verify_new_account(&client, did).await; 50 50 + let res = client 51 51 + .get(format!("{}/u/{}/did.json", base_url().await, handle)) 52 52 + .send() 53 53 + .await 54 54 + .expect("Failed to fetch DID doc via path"); 55 55 + assert_eq!( 56 56 + res.status(), 57 57 + StatusCode::OK, 58 58 + "Self-hosted did:web should have DID doc served by PDS (via path for backwards compat)" 59 59 + ); 60 60 + let doc: Value = res.json().await.expect("DID doc was not JSON"); 61 61 + assert_eq!(doc["id"], did); 62 62 + assert!( 63 63 + doc["verificationMethod"][0]["publicKeyMultibase"].is_string(), 64 64 + "DID doc should have publicKeyMultibase" 65 65 + ); 66 66 + let res = client 67 67 + .post(format!( 68 68 + "{}/xrpc/com.atproto.repo.createRecord", 69 69 + base_url().await 70 70 + )) 71 71 + .bearer_auth(&jwt) 72 72 + .json(&json!({ 73 73 + "repo": did, 74 74 + "collection": "app.bsky.feed.post", 75 75 + "record": { 76 76 + "$type": "app.bsky.feed.post", 77 77 + "text": "Hello from did:web!", 78 78 + "createdAt": chrono::Utc::now().to_rfc3339() 79 79 + } 80 80 + })) 81 81 + .send() 82 82 + .await 83 83 + .expect("Failed to create post"); 84 84 + assert_eq!( 85 85 + res.status(), 86 86 + StatusCode::OK, 87 87 + "Self-hosted did:web account should be able to create records" 88 88 + ); 89 89 + } 90 90 + 91 91 + #[tokio::test] 92 92 + async fn test_external_did_web_no_local_doc() { 93 93 + let client = client(); 94 94 + let mock_server = MockServer::start().await; 95 95 + let mock_uri = mock_server.uri(); 96 96 + let mock_addr = mock_uri.trim_start_matches("http://"); 97 97 + let did = format!("did:web:{}", mock_addr.replace(":", "%3A")); 98 98 + let handle = format!("extweb_{}", uuid::Uuid::new_v4()); 99 99 + let pds_endpoint = base_url().await.replace("http://", "https://"); 100 100 + let did_doc = json!({ 101 101 + "@context": ["https://www.w3.org/ns/did/v1"], 102 102 + "id": did, 103 103 + "service": [{ 104 104 + "id": "#atproto_pds", 105 105 + "type": "AtprotoPersonalDataServer", 106 106 + "serviceEndpoint": pds_endpoint 107 107 + }] 108 108 + }); 109 109 + Mock::given(method("GET")) 110 110 + .and(path("/.well-known/did.json")) 111 111 + .respond_with(ResponseTemplate::new(200).set_body_json(did_doc)) 112 112 + .mount(&mock_server) 113 113 + .await; 114 114 + let payload = json!({ 115 115 + "handle": handle, 116 116 + "email": format!("{}@example.com", handle), 117 117 + "password": "password", 118 118 + "didType": "web-external", 119 119 + "did": did 120 120 + }); 121 121 + let res = client 122 122 + .post(format!( 123 123 + "{}/xrpc/com.atproto.server.createAccount", 124 124 + base_url().await 125 125 + )) 126 126 + .json(&payload) 127 127 + .send() 128 128 + .await 129 129 + .expect("Failed to send request"); 130 130 + if res.status() != StatusCode::OK { 131 131 + let body: Value = res.json().await.unwrap_or(json!({"error": "parse failed"})); 132 132 + panic!("createAccount failed: {:?}", body); 133 133 + } 134 134 + let res = client 135 135 + .get(format!("{}/u/{}/did.json", base_url().await, handle)) 136 136 + .send() 137 137 + .await 138 138 + .expect("Failed to fetch DID doc"); 139 139 + assert_eq!( 140 140 + res.status(), 141 141 + StatusCode::NOT_FOUND, 142 142 + "External did:web should NOT have DID doc served by PDS" 143 143 + ); 144 144 + let body: Value = res.json().await.expect("Response was not JSON"); 145 145 + assert!( 146 146 + body["message"].as_str().unwrap_or("").contains("External"), 147 147 + "Error message should indicate external did:web" 148 148 + ); 149 149 + } 150 150 + 151 151 + #[tokio::test] 152 152 + async fn test_plc_operations_blocked_for_did_web() { 153 153 + let client = client(); 154 154 + let handle = format!("plcblock_{}", uuid::Uuid::new_v4()); 155 155 + let payload = json!({ 156 156 + "handle": handle, 157 157 + "email": format!("{}@example.com", handle), 158 158 + "password": "password", 159 159 + "didType": "web" 160 160 + }); 161 161 + let res = client 162 162 + .post(format!( 163 163 + "{}/xrpc/com.atproto.server.createAccount", 164 164 + base_url().await 165 165 + )) 166 166 + .json(&payload) 167 167 + .send() 168 168 + .await 169 169 + .expect("Failed to send request"); 170 170 + assert_eq!(res.status(), StatusCode::OK); 171 171 + let body: Value = res.json().await.expect("Response was not JSON"); 172 172 + let did = body["did"].as_str().expect("No DID").to_string(); 173 173 + let jwt = verify_new_account(&client, &did).await; 174 174 + let res = client 175 175 + .post(format!( 176 176 + "{}/xrpc/com.atproto.identity.signPlcOperation", 177 177 + base_url().await 178 178 + )) 179 179 + .bearer_auth(&jwt) 180 180 + .json(&json!({ 181 181 + "token": "fake-token" 182 182 + })) 183 183 + .send() 184 184 + .await 185 185 + .expect("Failed to send request"); 186 186 + assert_eq!( 187 187 + res.status(), 188 188 + StatusCode::BAD_REQUEST, 189 189 + "signPlcOperation should be blocked for did:web users" 190 190 + ); 191 191 + let body: Value = res.json().await.expect("Response was not JSON"); 192 192 + assert!( 193 193 + body["message"].as_str().unwrap_or("").contains("did:plc"), 194 194 + "Error should mention did:plc: {:?}", 195 195 + body 196 196 + ); 197 197 + let res = client 198 198 + .post(format!( 199 199 + "{}/xrpc/com.atproto.identity.submitPlcOperation", 200 200 + base_url().await 201 201 + )) 202 202 + .bearer_auth(&jwt) 203 203 + .json(&json!({ 204 204 + "operation": {} 205 205 + })) 206 206 + .send() 207 207 + .await 208 208 + .expect("Failed to send request"); 209 209 + assert_eq!( 210 210 + res.status(), 211 211 + StatusCode::BAD_REQUEST, 212 212 + "submitPlcOperation should be blocked for did:web users" 213 213 + ); 214 214 + } 215 215 + 216 216 + #[tokio::test] 217 217 + async fn test_get_recommended_did_credentials_no_rotation_keys_for_did_web() { 218 218 + let client = client(); 219 219 + let handle = format!("creds_{}", uuid::Uuid::new_v4()); 220 220 + let payload = json!({ 221 221 + "handle": handle, 222 222 + "email": format!("{}@example.com", handle), 223 223 + "password": "password", 224 224 + "didType": "web" 225 225 + }); 226 226 + let res = client 227 227 + .post(format!( 228 228 + "{}/xrpc/com.atproto.server.createAccount", 229 229 + base_url().await 230 230 + )) 231 231 + .json(&payload) 232 232 + .send() 233 233 + .await 234 234 + .expect("Failed to send request"); 235 235 + assert_eq!(res.status(), StatusCode::OK); 236 236 + let body: Value = res.json().await.expect("Response was not JSON"); 237 237 + let did = body["did"].as_str().expect("No DID").to_string(); 238 238 + let jwt = verify_new_account(&client, &did).await; 239 239 + let res = client 240 240 + .get(format!( 241 241 + "{}/xrpc/com.atproto.identity.getRecommendedDidCredentials", 242 242 + base_url().await 243 243 + )) 244 244 + .bearer_auth(&jwt) 245 245 + .send() 246 246 + .await 247 247 + .expect("Failed to send request"); 248 248 + assert_eq!(res.status(), StatusCode::OK); 249 249 + let body: Value = res.json().await.expect("Response was not JSON"); 250 250 + let rotation_keys = body["rotationKeys"] 251 251 + .as_array() 252 252 + .expect("rotationKeys should be an array"); 253 253 + assert!( 254 254 + rotation_keys.is_empty(), 255 255 + "did:web should have no rotation keys, got: {:?}", 256 256 + rotation_keys 257 257 + ); 258 258 + assert!( 259 259 + body["verificationMethods"].is_object(), 260 260 + "verificationMethods should be present" 261 261 + ); 262 262 + assert!(body["services"].is_object(), "services should be present"); 263 263 + } 264 264 + 265 265 + #[tokio::test] 266 266 + async fn test_did_plc_still_works_with_did_type_param() { 267 267 + let client = client(); 268 268 + let handle = format!("plctype_{}", uuid::Uuid::new_v4()); 269 269 + let payload = json!({ 270 270 + "handle": handle, 271 271 + "email": format!("{}@example.com", handle), 272 272 + "password": "password", 273 273 + "didType": "plc" 274 274 + }); 275 275 + let res = client 276 276 + .post(format!( 277 277 + "{}/xrpc/com.atproto.server.createAccount", 278 278 + base_url().await 279 279 + )) 280 280 + .json(&payload) 281 281 + .send() 282 282 + .await 283 283 + .expect("Failed to send request"); 284 284 + assert_eq!(res.status(), StatusCode::OK); 285 285 + let body: Value = res.json().await.expect("Response was not JSON"); 286 286 + let did = body["did"].as_str().expect("No DID").to_string(); 287 287 + assert!( 288 288 + did.starts_with("did:plc:"), 289 289 + "DID with didType=plc should be did:plc:, got: {}", 290 290 + did 291 291 + ); 292 292 + } 293 293 + 294 294 + #[tokio::test] 295 295 + async fn test_external_did_web_requires_did_field() { 296 296 + let client = client(); 297 297 + let handle = format!("nodid_{}", uuid::Uuid::new_v4()); 298 298 + let payload = json!({ 299 299 + "handle": handle, 300 300 + "email": format!("{}@example.com", handle), 301 301 + "password": "password", 302 302 + "didType": "web-external" 303 303 + }); 304 304 + let res = client 305 305 + .post(format!( 306 306 + "{}/xrpc/com.atproto.server.createAccount", 307 307 + base_url().await 308 308 + )) 309 309 + .json(&payload) 310 310 + .send() 311 311 + .await 312 312 + .expect("Failed to send request"); 313 313 + assert_eq!( 314 314 + res.status(), 315 315 + StatusCode::BAD_REQUEST, 316 316 + "web-external without did should fail" 317 317 + ); 318 318 + let body: Value = res.json().await.expect("Response was not JSON"); 319 319 + assert!( 320 320 + body["message"].as_str().unwrap_or("").contains("did"), 321 321 + "Error should mention did field is required: {:?}", 322 322 + body 323 323 + ); 324 324 + }

+5 -6

tests/identity.rs

··· 143 143 .send() 144 144 .await 145 145 .expect("Failed to fetch DID doc"); 146 146 - assert_eq!(res.status(), StatusCode::OK); 147 147 - let doc: Value = res.json().await.expect("DID doc was not JSON"); 148 148 - assert_eq!(doc["id"], did); 149 149 - assert_eq!(doc["alsoKnownAs"][0], format!("at://{}", handle)); 150 150 - assert_eq!(doc["verificationMethod"][0]["controller"], did); 151 151 - assert!(doc["verificationMethod"][0]["publicKeyJwk"].is_object()); 146 146 + assert_eq!( 147 147 + res.status(), 148 148 + StatusCode::NOT_FOUND, 149 149 + "External did:web should not have DID doc served by PDS (user hosts their own)" 150 150 + ); 152 151 } 153 152 154 153 #[tokio::test]