src/api/server/passkey_account.rs at 32fee7a7fff8493b78ca078a840b5819718f297d · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / src / api / server / passkey_account.rs
at 32fee7a7fff8493b78ca078a840b5819718f297d 37 kB view raw
   1use crate::api::SuccessResponse;
   2use crate::api::error::ApiError;
   3use axum::{
   4    Json,
   5    extract::State,
   6    http::HeaderMap,
   7    response::{IntoResponse, Response},
   8};
   9use bcrypt::{DEFAULT_COST, hash};
  10use chrono::{Duration, Utc};
  11use jacquard::types::{integer::LimitedU32, string::Tid};
  12use jacquard_repo::{mst::Mst, storage::BlockStore};
  13use rand::Rng;
  14use serde::{Deserialize, Serialize};
  15use serde_json::json;
  16use std::sync::Arc;
  17use tracing::{debug, error, info, warn};
  18use uuid::Uuid;
  19
  20use crate::api::repo::record::utils::create_signed_commit;
  21use crate::auth::{ServiceTokenVerifier, is_service_token};
  22use crate::state::{AppState, RateLimitKind};
  23use crate::types::{Did, Handle, Nsid, PlainPassword, Rkey};
  24use crate::validation::validate_password;
  25
  26fn extract_client_ip(headers: &HeaderMap) -> String {
  27    if let Some(forwarded) = headers.get("x-forwarded-for")
  28        && let Ok(value) = forwarded.to_str()
  29        && let Some(first_ip) = value.split(',').next()
  30    {
  31        return first_ip.trim().to_string();
  32    }
  33    if let Some(real_ip) = headers.get("x-real-ip")
  34        && let Ok(value) = real_ip.to_str()
  35    {
  36        return value.trim().to_string();
  37    }
  38    "unknown".to_string()
  39}
  40
  41fn generate_setup_token() -> String {
  42    let mut rng = rand::thread_rng();
  43    (0..32)
  44        .map(|_| {
  45            let idx = rng.gen_range(0..36);
  46            if idx < 10 {
  47                (b'0' + idx) as char
  48            } else {
  49                (b'a' + idx - 10) as char
  50            }
  51        })
  52        .collect()
  53}
  54
  55fn generate_app_password() -> String {
  56    let chars: &[u8] = b"abcdefghijklmnopqrstuvwxyz234567";
  57    let mut rng = rand::thread_rng();
  58    let segments: Vec<String> = (0..4)
  59        .map(|_| {
  60            (0..4)
  61                .map(|_| chars[rng.gen_range(0..chars.len())] as char)
  62                .collect()
  63        })
  64        .collect();
  65    segments.join("-")
  66}
  67
  68#[derive(Deserialize)]
  69#[serde(rename_all = "camelCase")]
  70pub struct CreatePasskeyAccountInput {
  71    pub handle: String,
  72    pub email: Option<String>,
  73    pub invite_code: Option<String>,
  74    pub did: Option<String>,
  75    pub did_type: Option<String>,
  76    pub signing_key: Option<String>,
  77    pub verification_channel: Option<String>,
  78    pub discord_id: Option<String>,
  79    pub telegram_username: Option<String>,
  80    pub signal_number: Option<String>,
  81}
  82
  83#[derive(Serialize)]
  84#[serde(rename_all = "camelCase")]
  85pub struct CreatePasskeyAccountResponse {
  86    pub did: Did,
  87    pub handle: Handle,
  88    pub setup_token: String,
  89    pub setup_expires_at: chrono::DateTime<Utc>,
  90    #[serde(skip_serializing_if = "Option::is_none")]
  91    pub access_jwt: Option<String>,
  92}
  93
  94pub async fn create_passkey_account(
  95    State(state): State<AppState>,
  96    headers: HeaderMap,
  97    Json(input): Json<CreatePasskeyAccountInput>,
  98) -> Response {
  99    let client_ip = extract_client_ip(&headers);
 100    if !state
 101        .check_rate_limit(RateLimitKind::AccountCreation, &client_ip)
 102        .await
 103    {
 104        warn!(ip = %client_ip, "Account creation rate limit exceeded");
 105        return ApiError::RateLimitExceeded(Some(
 106            "Too many account creation attempts. Please try again later.".into(),
 107        ))
 108        .into_response();
 109    }
 110
 111    let byod_auth = if let Some(extracted) = crate::auth::extract_auth_token_from_header(
 112        headers.get("Authorization").and_then(|h| h.to_str().ok()),
 113    ) {
 114        let token = extracted.token;
 115        if is_service_token(&token) {
 116            let verifier = ServiceTokenVerifier::new();
 117            match verifier
 118                .verify_service_token(&token, Some("com.atproto.server.createAccount"))
 119                .await
 120            {
 121                Ok(claims) => {
 122                    debug!(
 123                        "Service token verified for BYOD did:web: iss={}",
 124                        claims.iss
 125                    );
 126                    Some(claims.iss)
 127                }
 128                Err(e) => {
 129                    error!("Service token verification failed: {:?}", e);
 130                    return ApiError::AuthenticationFailed(Some(format!(
 131                        "Service token verification failed: {}",
 132                        e
 133                    )))
 134                    .into_response();
 135                }
 136            }
 137        } else {
 138            None
 139        }
 140    } else {
 141        None
 142    };
 143
 144    let is_byod_did_web = byod_auth.is_some()
 145        && input
 146            .did
 147            .as_ref()
 148            .map(|d| d.starts_with("did:web:"))
 149            .unwrap_or(false);
 150
 151    let hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
 152    let pds_suffix = format!(".{}", hostname);
 153
 154    let handle = if !input.handle.contains('.') || input.handle.ends_with(&pds_suffix) {
 155        let handle_to_validate = if input.handle.ends_with(&pds_suffix) {
 156            input
 157                .handle
 158                .strip_suffix(&pds_suffix)
 159                .unwrap_or(&input.handle)
 160        } else {
 161            &input.handle
 162        };
 163        match crate::api::validation::validate_short_handle(handle_to_validate) {
 164            Ok(h) => format!("{}.{}", h, hostname),
 165            Err(_) => {
 166                return ApiError::InvalidHandle(None).into_response();
 167            }
 168        }
 169    } else {
 170        input.handle.to_lowercase()
 171    };
 172
 173    let email = input
 174        .email
 175        .as_ref()
 176        .map(|e| e.trim().to_string())
 177        .filter(|e| !e.is_empty());
 178    if let Some(ref email) = email
 179        && !crate::api::validation::is_valid_email(email)
 180    {
 181        return ApiError::InvalidEmail.into_response();
 182    }
 183
 184    if let Some(ref code) = input.invite_code {
 185        let valid = sqlx::query_scalar!(
 186            "SELECT available_uses > 0 AND NOT disabled FROM invite_codes WHERE code = $1",
 187            code
 188        )
 189        .fetch_optional(&state.db)
 190        .await
 191        .ok()
 192        .flatten()
 193        .unwrap_or(Some(false));
 194
 195        if valid != Some(true) {
 196            return ApiError::InvalidInviteCode.into_response();
 197        }
 198    } else {
 199        let invite_required = std::env::var("INVITE_CODE_REQUIRED")
 200            .map(|v| v == "true" || v == "1")
 201            .unwrap_or(false);
 202        if invite_required {
 203            return ApiError::InviteCodeRequired.into_response();
 204        }
 205    }
 206
 207    let verification_channel = input.verification_channel.as_deref().unwrap_or("email");
 208    let verification_recipient = match verification_channel {
 209        "email" => match &email {
 210            Some(e) if !e.is_empty() => e.clone(),
 211            _ => return ApiError::MissingEmail.into_response(),
 212        },
 213        "discord" => match &input.discord_id {
 214            Some(id) if !id.trim().is_empty() => id.trim().to_string(),
 215            _ => return ApiError::MissingDiscordId.into_response(),
 216        },
 217        "telegram" => match &input.telegram_username {
 218            Some(username) if !username.trim().is_empty() => username.trim().to_string(),
 219            _ => return ApiError::MissingTelegramUsername.into_response(),
 220        },
 221        "signal" => match &input.signal_number {
 222            Some(number) if !number.trim().is_empty() => number.trim().to_string(),
 223            _ => return ApiError::MissingSignalNumber.into_response(),
 224        },
 225        _ => return ApiError::InvalidVerificationChannel.into_response(),
 226    };
 227
 228    use k256::ecdsa::SigningKey;
 229    use rand::rngs::OsRng;
 230
 231    let pds_endpoint = format!("https://{}", hostname);
 232    let did_type = input.did_type.as_deref().unwrap_or("plc");
 233
 234    let (secret_key_bytes, reserved_key_id): (Vec<u8>, Option<Uuid>) =
 235        if let Some(signing_key_did) = &input.signing_key {
 236            let reserved = sqlx::query!(
 237                r#"
 238                SELECT id, private_key_bytes
 239                FROM reserved_signing_keys
 240                WHERE public_key_did_key = $1
 241                  AND used_at IS NULL
 242                  AND expires_at > NOW()
 243                FOR UPDATE
 244                "#,
 245                signing_key_did
 246            )
 247            .fetch_optional(&state.db)
 248            .await;
 249            match reserved {
 250                Ok(Some(row)) => (row.private_key_bytes, Some(row.id)),
 251                Ok(None) => {
 252                    return ApiError::InvalidSigningKey.into_response();
 253                }
 254                Err(e) => {
 255                    error!("Error looking up reserved signing key: {:?}", e);
 256                    return ApiError::InternalError(None).into_response();
 257                }
 258            }
 259        } else {
 260            let secret_key = k256::SecretKey::random(&mut OsRng);
 261            (secret_key.to_bytes().to_vec(), None)
 262        };
 263
 264    let secret_key = match SigningKey::from_slice(&secret_key_bytes) {
 265        Ok(k) => k,
 266        Err(e) => {
 267            error!("Error creating signing key: {:?}", e);
 268            return ApiError::InternalError(None).into_response();
 269        }
 270    };
 271
 272    let did = match did_type {
 273        "web" => {
 274            let subdomain_host = format!("{}.{}", input.handle, hostname);
 275            let encoded_subdomain = subdomain_host.replace(':', "%3A");
 276            let self_hosted_did = format!("did:web:{}", encoded_subdomain);
 277            info!(did = %self_hosted_did, "Creating self-hosted did:web passkey account");
 278            self_hosted_did
 279        }
 280        "web-external" => {
 281            let d = match &input.did {
 282                Some(d) if !d.trim().is_empty() => d.trim(),
 283                _ => {
 284                    return ApiError::InvalidRequest(
 285                        "External did:web requires the 'did' field to be provided".into(),
 286                    )
 287                    .into_response();
 288                }
 289            };
 290            if !d.starts_with("did:web:") {
 291                return ApiError::InvalidDid("External DID must be a did:web".into())
 292                    .into_response();
 293            }
 294            if is_byod_did_web {
 295                if let Some(ref auth_did) = byod_auth
 296                    && d != auth_did
 297                {
 298                    return ApiError::AuthorizationError(format!(
 299                        "Service token issuer {} does not match DID {}",
 300                        auth_did, d
 301                    ))
 302                    .into_response();
 303                }
 304                info!(did = %d, "Creating external did:web passkey account (BYOD key)");
 305            } else {
 306                if let Err(e) = crate::api::identity::did::verify_did_web(
 307                    d,
 308                    &hostname,
 309                    &input.handle,
 310                    input.signing_key.as_deref(),
 311                )
 312                .await
 313                {
 314                    return ApiError::InvalidDid(e).into_response();
 315                }
 316                info!(did = %d, "Creating external did:web passkey account (reserved key)");
 317            }
 318            d.to_string()
 319        }
 320        _ => {
 321            if let Some(ref auth_did) = byod_auth {
 322                if let Some(ref provided_did) = input.did {
 323                    if provided_did.starts_with("did:plc:") {
 324                        if provided_did != auth_did {
 325                            return ApiError::AuthorizationError(format!(
 326                                "Service token issuer {} does not match DID {}",
 327                                auth_did, provided_did
 328                            ))
 329                            .into_response();
 330                        }
 331                        info!(did = %provided_did, "Creating BYOD did:plc passkey account (migration)");
 332                        provided_did.clone()
 333                    } else {
 334                        return ApiError::InvalidRequest(
 335                            "BYOD migration requires a did:plc or did:web DID".into(),
 336                        )
 337                        .into_response();
 338                    }
 339                } else {
 340                    return ApiError::InvalidRequest(
 341                        "BYOD migration requires the 'did' field".into(),
 342                    )
 343                    .into_response();
 344                }
 345            } else {
 346                let rotation_key = std::env::var("PLC_ROTATION_KEY")
 347                    .unwrap_or_else(|_| crate::plc::signing_key_to_did_key(&secret_key));
 348
 349                let genesis_result = match crate::plc::create_genesis_operation(
 350                    &secret_key,
 351                    &rotation_key,
 352                    &handle,
 353                    &pds_endpoint,
 354                ) {
 355                    Ok(r) => r,
 356                    Err(e) => {
 357                        error!("Error creating PLC genesis operation: {:?}", e);
 358                        return ApiError::InternalError(Some(
 359                            "Failed to create PLC operation".into(),
 360                        ))
 361                        .into_response();
 362                    }
 363                };
 364
 365                let plc_client = crate::plc::PlcClient::with_cache(None, Some(state.cache.clone()));
 366                if let Err(e) = plc_client
 367                    .send_operation(&genesis_result.did, &genesis_result.signed_operation)
 368                    .await
 369                {
 370                    error!("Failed to submit PLC genesis operation: {:?}", e);
 371                    return ApiError::UpstreamErrorMsg(format!(
 372                        "Failed to register DID with PLC directory: {}",
 373                        e
 374                    ))
 375                    .into_response();
 376                }
 377                genesis_result.did
 378            }
 379        }
 380    };
 381
 382    info!(did = %did, handle = %handle, "Created DID for passkey-only account");
 383
 384    let setup_token = generate_setup_token();
 385    let setup_token_hash = match hash(&setup_token, DEFAULT_COST) {
 386        Ok(h) => h,
 387        Err(e) => {
 388            error!("Error hashing setup token: {:?}", e);
 389            return ApiError::InternalError(None).into_response();
 390        }
 391    };
 392    let setup_expires_at = Utc::now() + Duration::hours(1);
 393
 394    let mut tx = match state.db.begin().await {
 395        Ok(tx) => tx,
 396        Err(e) => {
 397            error!("Error starting transaction: {:?}", e);
 398            return ApiError::InternalError(None).into_response();
 399        }
 400    };
 401
 402    let is_first_user = sqlx::query_scalar!("SELECT COUNT(*) as count FROM users")
 403        .fetch_one(&mut *tx)
 404        .await
 405        .map(|c| c.unwrap_or(0) == 0)
 406        .unwrap_or(false);
 407
 408    let deactivated_at: Option<chrono::DateTime<Utc>> = if is_byod_did_web {
 409        Some(Utc::now())
 410    } else {
 411        None
 412    };
 413
 414    let user_insert: Result<(Uuid,), _> = sqlx::query_as(
 415        r#"INSERT INTO users (
 416            handle, email, did, password_hash, password_required,
 417            preferred_comms_channel,
 418            discord_id, telegram_username, signal_number,
 419            recovery_token, recovery_token_expires_at,
 420            is_admin, deactivated_at
 421        ) VALUES ($1, $2, $3, NULL, FALSE, $4::comms_channel, $5, $6, $7, $8, $9, $10, $11) RETURNING id"#,
 422    )
 423    .bind(&handle)
 424    .bind(&email)
 425    .bind(&did)
 426    .bind(verification_channel)
 427    .bind(
 428        input
 429            .discord_id
 430            .as_deref()
 431            .map(|s| s.trim())
 432            .filter(|s| !s.is_empty()),
 433    )
 434    .bind(
 435        input
 436            .telegram_username
 437            .as_deref()
 438            .map(|s| s.trim())
 439            .filter(|s| !s.is_empty()),
 440    )
 441    .bind(
 442        input
 443            .signal_number
 444            .as_deref()
 445            .map(|s| s.trim())
 446            .filter(|s| !s.is_empty()),
 447    )
 448    .bind(&setup_token_hash)
 449    .bind(setup_expires_at)
 450    .bind(is_first_user)
 451    .bind(deactivated_at)
 452    .fetch_one(&mut *tx)
 453    .await;
 454
 455    let user_id = match user_insert {
 456        Ok((id,)) => id,
 457        Err(e) => {
 458            if let Some(db_err) = e.as_database_error()
 459                && db_err.code().as_deref() == Some("23505")
 460            {
 461                let constraint = db_err.constraint().unwrap_or("");
 462                if constraint.contains("handle") {
 463                    return ApiError::HandleNotAvailable(None).into_response();
 464                } else if constraint.contains("email") {
 465                    return ApiError::EmailTaken.into_response();
 466                }
 467            }
 468            error!("Error inserting user: {:?}", e);
 469            return ApiError::InternalError(None).into_response();
 470        }
 471    };
 472
 473    let encrypted_key_bytes = match crate::config::encrypt_key(&secret_key_bytes) {
 474        Ok(bytes) => bytes,
 475        Err(e) => {
 476            error!("Error encrypting signing key: {:?}", e);
 477            return ApiError::InternalError(None).into_response();
 478        }
 479    };
 480
 481    if let Err(e) = sqlx::query!(
 482        "INSERT INTO user_keys (user_id, key_bytes, encryption_version, encrypted_at) VALUES ($1, $2, $3, NOW())",
 483        user_id,
 484        &encrypted_key_bytes[..],
 485        crate::config::ENCRYPTION_VERSION
 486    )
 487    .execute(&mut *tx)
 488    .await
 489    {
 490        error!("Error inserting user key: {:?}", e);
 491        return ApiError::InternalError(None).into_response();
 492    }
 493
 494    if let Some(key_id) = reserved_key_id
 495        && let Err(e) = sqlx::query!(
 496            "UPDATE reserved_signing_keys SET used_at = NOW() WHERE id = $1",
 497            key_id
 498        )
 499        .execute(&mut *tx)
 500        .await
 501    {
 502        error!("Error marking reserved key as used: {:?}", e);
 503        return ApiError::InternalError(None).into_response();
 504    }
 505
 506    let mst = Mst::new(Arc::new(state.block_store.clone()));
 507    let mst_root = match mst.persist().await {
 508        Ok(c) => c,
 509        Err(e) => {
 510            error!("Error persisting MST: {:?}", e);
 511            return ApiError::InternalError(None).into_response();
 512        }
 513    };
 514    let rev = Tid::now(LimitedU32::MIN);
 515    let did_typed = Did::new_unchecked(&did);
 516    let (commit_bytes, _sig) =
 517        match create_signed_commit(&did_typed, mst_root, rev.as_ref(), None, &secret_key) {
 518            Ok(result) => result,
 519            Err(e) => {
 520                error!("Error creating genesis commit: {:?}", e);
 521                return ApiError::InternalError(None).into_response();
 522            }
 523        };
 524    let commit_cid: cid::Cid = match state.block_store.put(&commit_bytes).await {
 525        Ok(c) => c,
 526        Err(e) => {
 527            error!("Error saving genesis commit: {:?}", e);
 528            return ApiError::InternalError(None).into_response();
 529        }
 530    };
 531    let commit_cid_str = commit_cid.to_string();
 532    let rev_str = rev.as_ref().to_string();
 533    if let Err(e) = sqlx::query!(
 534        "INSERT INTO repos (user_id, repo_root_cid, repo_rev) VALUES ($1, $2, $3)",
 535        user_id,
 536        commit_cid_str,
 537        rev_str
 538    )
 539    .execute(&mut *tx)
 540    .await
 541    {
 542        error!("Error inserting repo: {:?}", e);
 543        return ApiError::InternalError(None).into_response();
 544    }
 545    let genesis_block_cids = vec![mst_root.to_bytes(), commit_cid.to_bytes()];
 546    if let Err(e) = sqlx::query!(
 547        r#"
 548        INSERT INTO user_blocks (user_id, block_cid)
 549        SELECT $1, block_cid FROM UNNEST($2::bytea[]) AS t(block_cid)
 550        ON CONFLICT (user_id, block_cid) DO NOTHING
 551        "#,
 552        user_id,
 553        &genesis_block_cids
 554    )
 555    .execute(&mut *tx)
 556    .await
 557    {
 558        error!("Error inserting user_blocks: {:?}", e);
 559        return ApiError::InternalError(None).into_response();
 560    }
 561
 562    if let Some(ref code) = input.invite_code {
 563        let _ = sqlx::query!(
 564            "UPDATE invite_codes SET available_uses = available_uses - 1 WHERE code = $1",
 565            code
 566        )
 567        .execute(&mut *tx)
 568        .await;
 569
 570        let _ = sqlx::query!(
 571            "INSERT INTO invite_code_uses (code, used_by_user) VALUES ($1, $2)",
 572            code,
 573            user_id
 574        )
 575        .execute(&mut *tx)
 576        .await;
 577    }
 578
 579    if std::env::var("PDS_AGE_ASSURANCE_OVERRIDE").is_ok() {
 580        let birthdate_pref = json!({
 581            "$type": "app.bsky.actor.defs#personalDetailsPref",
 582            "birthDate": "1998-05-06T00:00:00.000Z"
 583        });
 584        if let Err(e) = sqlx::query!(
 585            "INSERT INTO account_preferences (user_id, name, value_json) VALUES ($1, $2, $3)
 586             ON CONFLICT (user_id, name) DO NOTHING",
 587            user_id,
 588            "app.bsky.actor.defs#personalDetailsPref",
 589            birthdate_pref
 590        )
 591        .execute(&mut *tx)
 592        .await
 593        {
 594            warn!("Failed to set default birthdate preference: {:?}", e);
 595        }
 596    }
 597
 598    if let Err(e) = tx.commit().await {
 599        error!("Error committing transaction: {:?}", e);
 600        return ApiError::InternalError(None).into_response();
 601    }
 602
 603    if !is_byod_did_web {
 604        let handle_typed = Handle::new_unchecked(&handle);
 605        if let Err(e) =
 606            crate::api::repo::record::sequence_identity_event(&state, &did_typed, Some(&handle_typed)).await
 607        {
 608            warn!("Failed to sequence identity event for {}: {}", did, e);
 609        }
 610        if let Err(e) =
 611            crate::api::repo::record::sequence_account_event(&state, &did_typed, true, None).await
 612        {
 613            warn!("Failed to sequence account event for {}: {}", did, e);
 614        }
 615        let profile_record = serde_json::json!({
 616            "$type": "app.bsky.actor.profile",
 617            "displayName": handle
 618        });
 619        let profile_collection = Nsid::new_unchecked("app.bsky.actor.profile");
 620        let profile_rkey = Rkey::new_unchecked("self");
 621        if let Err(e) = crate::api::repo::record::create_record_internal(
 622            &state,
 623            &did_typed,
 624            &profile_collection,
 625            &profile_rkey,
 626            &profile_record,
 627        )
 628        .await
 629        {
 630            warn!("Failed to create default profile for {}: {}", did, e);
 631        }
 632    }
 633
 634    let verification_token = crate::auth::verification_token::generate_signup_token(
 635        &did,
 636        verification_channel,
 637        &verification_recipient,
 638    );
 639    let formatted_token =
 640        crate::auth::verification_token::format_token_for_display(&verification_token);
 641    if let Err(e) = crate::comms::enqueue_signup_verification(
 642        &state.db,
 643        user_id,
 644        verification_channel,
 645        &verification_recipient,
 646        &formatted_token,
 647        None,
 648    )
 649    .await
 650    {
 651        warn!("Failed to enqueue signup verification: {:?}", e);
 652    }
 653
 654    info!(did = %did, handle = %handle, "Passkey-only account created, awaiting setup completion");
 655
 656    let access_jwt = if byod_auth.is_some() {
 657        match crate::auth::token::create_access_token_with_metadata(&did, &secret_key_bytes) {
 658            Ok(token_meta) => {
 659                let refresh_jti = uuid::Uuid::new_v4().to_string();
 660                let refresh_expires = chrono::Utc::now() + chrono::Duration::hours(24);
 661                let no_scope: Option<String> = None;
 662                if let Err(e) = sqlx::query!(
 663                    "INSERT INTO session_tokens (did, access_jti, refresh_jti, access_expires_at, refresh_expires_at, legacy_login, mfa_verified, scope) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
 664                    did,
 665                    token_meta.jti,
 666                    refresh_jti,
 667                    token_meta.expires_at,
 668                    refresh_expires,
 669                    false,
 670                    false,
 671                    no_scope
 672                )
 673                .execute(&state.db)
 674                .await
 675                {
 676                    warn!(did = %did, "Failed to insert migration session: {:?}", e);
 677                }
 678                info!(did = %did, "Generated migration access token for BYOD passkey account");
 679                Some(token_meta.token)
 680            }
 681            Err(e) => {
 682                warn!(did = %did, "Failed to generate migration access token: {:?}", e);
 683                None
 684            }
 685        }
 686    } else {
 687        None
 688    };
 689
 690    Json(CreatePasskeyAccountResponse {
 691        did: did.into(),
 692        handle: handle.into(),
 693        setup_token,
 694        setup_expires_at,
 695        access_jwt,
 696    })
 697    .into_response()
 698}
 699
 700#[derive(Deserialize)]
 701#[serde(rename_all = "camelCase")]
 702pub struct CompletePasskeySetupInput {
 703    pub did: Did,
 704    pub setup_token: String,
 705    pub passkey_credential: serde_json::Value,
 706    pub passkey_friendly_name: Option<String>,
 707}
 708
 709#[derive(Serialize)]
 710#[serde(rename_all = "camelCase")]
 711pub struct CompletePasskeySetupResponse {
 712    pub did: Did,
 713    pub handle: Handle,
 714    pub app_password: String,
 715    pub app_password_name: String,
 716}
 717
 718pub async fn complete_passkey_setup(
 719    State(state): State<AppState>,
 720    Json(input): Json<CompletePasskeySetupInput>,
 721) -> Response {
 722    let user = sqlx::query!(
 723        r#"SELECT id, handle, recovery_token, recovery_token_expires_at, password_required
 724           FROM users WHERE did = $1"#,
 725        input.did.as_str()
 726    )
 727    .fetch_optional(&state.db)
 728    .await;
 729
 730    let user = match user {
 731        Ok(Some(u)) => u,
 732        Ok(None) => {
 733            return ApiError::AccountNotFound.into_response();
 734        }
 735        Err(e) => {
 736            error!("DB error: {:?}", e);
 737            return ApiError::InternalError(None).into_response();
 738        }
 739    };
 740
 741    if user.password_required {
 742        return ApiError::InvalidAccount.into_response();
 743    }
 744
 745    let token_hash = match &user.recovery_token {
 746        Some(h) => h,
 747        None => {
 748            return ApiError::SetupExpired.into_response();
 749        }
 750    };
 751
 752    if let Some(expires_at) = user.recovery_token_expires_at
 753        && expires_at < Utc::now()
 754    {
 755        return ApiError::SetupExpired.into_response();
 756    }
 757
 758    if !bcrypt::verify(&input.setup_token, token_hash).unwrap_or(false) {
 759        return ApiError::InvalidToken(None).into_response();
 760    }
 761
 762    let pds_hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
 763    let webauthn = match crate::auth::webauthn::WebAuthnConfig::new(&pds_hostname) {
 764        Ok(w) => w,
 765        Err(e) => {
 766            error!("Failed to create WebAuthn config: {:?}", e);
 767            return ApiError::InternalError(None).into_response();
 768        }
 769    };
 770
 771    let reg_state =
 772        match crate::auth::webauthn::load_registration_state(&state.db, &input.did).await {
 773            Ok(Some(s)) => s,
 774            Ok(None) => {
 775                return ApiError::NoChallengeInProgress.into_response();
 776            }
 777            Err(e) => {
 778                error!("Error loading registration state: {:?}", e);
 779                return ApiError::InternalError(None).into_response();
 780            }
 781        };
 782
 783    let credential: webauthn_rs::prelude::RegisterPublicKeyCredential =
 784        match serde_json::from_value(input.passkey_credential) {
 785            Ok(c) => c,
 786            Err(e) => {
 787                warn!("Failed to parse credential: {:?}", e);
 788                return ApiError::InvalidCredential.into_response();
 789            }
 790        };
 791
 792    let security_key = match webauthn.finish_registration(&credential, &reg_state) {
 793        Ok(sk) => sk,
 794        Err(e) => {
 795            warn!("Passkey registration failed: {:?}", e);
 796            return ApiError::RegistrationFailed.into_response();
 797        }
 798    };
 799
 800    if let Err(e) = crate::auth::webauthn::save_passkey(
 801        &state.db,
 802        &input.did,
 803        &security_key,
 804        input.passkey_friendly_name.as_deref(),
 805    )
 806    .await
 807    {
 808        error!("Error saving passkey: {:?}", e);
 809        return ApiError::InternalError(None).into_response();
 810    }
 811
 812    let _ = crate::auth::webauthn::delete_registration_state(&state.db, &input.did).await;
 813
 814    let app_password = generate_app_password();
 815    let app_password_name = "bsky.app".to_string();
 816    let password_hash = match hash(&app_password, DEFAULT_COST) {
 817        Ok(h) => h,
 818        Err(e) => {
 819            error!("Error hashing app password: {:?}", e);
 820            return ApiError::InternalError(None).into_response();
 821        }
 822    };
 823
 824    if let Err(e) = sqlx::query!(
 825        "INSERT INTO app_passwords (user_id, name, password_hash, privileged) VALUES ($1, $2, $3, FALSE)",
 826        user.id,
 827        app_password_name,
 828        password_hash
 829    )
 830    .execute(&state.db)
 831    .await
 832    {
 833        error!("Error creating app password: {:?}", e);
 834        return ApiError::InternalError(None).into_response();
 835    }
 836
 837    if let Err(e) = sqlx::query!(
 838        "UPDATE users SET recovery_token = NULL, recovery_token_expires_at = NULL WHERE did = $1",
 839        input.did.as_str()
 840    )
 841    .execute(&state.db)
 842    .await
 843    {
 844        error!("Error clearing setup token: {:?}", e);
 845    }
 846
 847    info!(did = %input.did, "Passkey-only account setup completed");
 848
 849    Json(CompletePasskeySetupResponse {
 850        did: input.did.clone(),
 851        handle: user.handle.into(),
 852        app_password,
 853        app_password_name,
 854    })
 855    .into_response()
 856}
 857
 858pub async fn start_passkey_registration_for_setup(
 859    State(state): State<AppState>,
 860    Json(input): Json<StartPasskeyRegistrationInput>,
 861) -> Response {
 862    let user = sqlx::query!(
 863        r#"SELECT handle, recovery_token, recovery_token_expires_at, password_required
 864           FROM users WHERE did = $1"#,
 865        input.did.as_str()
 866    )
 867    .fetch_optional(&state.db)
 868    .await;
 869
 870    let user = match user {
 871        Ok(Some(u)) => u,
 872        Ok(None) => {
 873            return ApiError::AccountNotFound.into_response();
 874        }
 875        Err(e) => {
 876            error!("DB error: {:?}", e);
 877            return ApiError::InternalError(None).into_response();
 878        }
 879    };
 880
 881    if user.password_required {
 882        return ApiError::InvalidAccount.into_response();
 883    }
 884
 885    let token_hash = match &user.recovery_token {
 886        Some(h) => h,
 887        None => {
 888            return ApiError::SetupExpired.into_response();
 889        }
 890    };
 891
 892    if let Some(expires_at) = user.recovery_token_expires_at
 893        && expires_at < Utc::now()
 894    {
 895        return ApiError::SetupExpired.into_response();
 896    }
 897
 898    if !bcrypt::verify(&input.setup_token, token_hash).unwrap_or(false) {
 899        return ApiError::InvalidToken(None).into_response();
 900    }
 901
 902    let pds_hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
 903    let webauthn = match crate::auth::webauthn::WebAuthnConfig::new(&pds_hostname) {
 904        Ok(w) => w,
 905        Err(e) => {
 906            error!("Failed to create WebAuthn config: {:?}", e);
 907            return ApiError::InternalError(None).into_response();
 908        }
 909    };
 910
 911    let existing_passkeys = crate::auth::webauthn::get_passkeys_for_user(&state.db, &input.did)
 912        .await
 913        .unwrap_or_default();
 914
 915    let exclude_credentials: Vec<webauthn_rs::prelude::CredentialID> = existing_passkeys
 916        .iter()
 917        .map(|p| webauthn_rs::prelude::CredentialID::from(p.credential_id.clone()))
 918        .collect();
 919
 920    let display_name = input.friendly_name.as_deref().unwrap_or(&user.handle);
 921
 922    let (ccr, reg_state) = match webauthn.start_registration(
 923        &input.did,
 924        &user.handle,
 925        display_name,
 926        exclude_credentials,
 927    ) {
 928        Ok(result) => result,
 929        Err(e) => {
 930            error!("Failed to start passkey registration: {:?}", e);
 931            return ApiError::InternalError(None).into_response();
 932        }
 933    };
 934
 935    if let Err(e) =
 936        crate::auth::webauthn::save_registration_state(&state.db, &input.did, &reg_state).await
 937    {
 938        error!("Failed to save registration state: {:?}", e);
 939        return ApiError::InternalError(None).into_response();
 940    }
 941
 942    let options = serde_json::to_value(&ccr).unwrap_or(json!({}));
 943    Json(json!({"options": options})).into_response()
 944}
 945
 946#[derive(Deserialize)]
 947#[serde(rename_all = "camelCase")]
 948pub struct StartPasskeyRegistrationInput {
 949    pub did: Did,
 950    pub setup_token: String,
 951    pub friendly_name: Option<String>,
 952}
 953
 954#[derive(Deserialize)]
 955#[serde(rename_all = "camelCase")]
 956pub struct RequestPasskeyRecoveryInput {
 957    #[serde(alias = "identifier")]
 958    pub email: String,
 959}
 960
 961pub async fn request_passkey_recovery(
 962    State(state): State<AppState>,
 963    headers: HeaderMap,
 964    Json(input): Json<RequestPasskeyRecoveryInput>,
 965) -> Response {
 966    let client_ip = extract_client_ip(&headers);
 967    if !state
 968        .check_rate_limit(RateLimitKind::PasswordReset, &client_ip)
 969        .await
 970    {
 971        return ApiError::RateLimitExceeded(None).into_response();
 972    }
 973
 974    let pds_hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
 975    let identifier = input.email.trim().to_lowercase();
 976    let identifier = identifier.strip_prefix('@').unwrap_or(&identifier);
 977    let normalized_handle = if identifier.contains('@') || identifier.contains('.') {
 978        identifier.to_string()
 979    } else {
 980        format!("{}.{}", identifier, pds_hostname)
 981    };
 982
 983    let user = sqlx::query!(
 984        "SELECT id, did, handle, password_required FROM users WHERE LOWER(email) = $1 OR handle = $2",
 985        identifier,
 986        normalized_handle
 987    )
 988    .fetch_optional(&state.db)
 989    .await;
 990
 991    let user = match user {
 992        Ok(Some(u)) if !u.password_required => u,
 993        _ => {
 994            return SuccessResponse::ok().into_response();
 995        }
 996    };
 997
 998    let recovery_token = generate_setup_token();
 999    let recovery_token_hash = match hash(&recovery_token, DEFAULT_COST) {
1000        Ok(h) => h,
1001        Err(_) => {
1002            return ApiError::InternalError(None).into_response();
1003        }
1004    };
1005    let expires_at = Utc::now() + Duration::hours(1);
1006
1007    if let Err(e) = sqlx::query!(
1008        "UPDATE users SET recovery_token = $1, recovery_token_expires_at = $2 WHERE did = $3",
1009        recovery_token_hash,
1010        expires_at,
1011        &user.did
1012    )
1013    .execute(&state.db)
1014    .await
1015    {
1016        error!("Error updating recovery token: {:?}", e);
1017        return ApiError::InternalError(None).into_response();
1018    }
1019
1020    let hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
1021    let recovery_url = format!(
1022        "https://{}/app/recover-passkey?did={}&token={}",
1023        hostname,
1024        urlencoding::encode(&user.did),
1025        urlencoding::encode(&recovery_token)
1026    );
1027
1028    let _ =
1029        crate::comms::enqueue_passkey_recovery(&state.db, user.id, &recovery_url, &hostname).await;
1030
1031    info!(did = %user.did, "Passkey recovery requested");
1032    SuccessResponse::ok().into_response()
1033}
1034
1035#[derive(Deserialize)]
1036#[serde(rename_all = "camelCase")]
1037pub struct RecoverPasskeyAccountInput {
1038    pub did: Did,
1039    pub recovery_token: String,
1040    pub new_password: PlainPassword,
1041}
1042
1043pub async fn recover_passkey_account(
1044    State(state): State<AppState>,
1045    Json(input): Json<RecoverPasskeyAccountInput>,
1046) -> Response {
1047    if let Err(e) = validate_password(&input.new_password) {
1048        return ApiError::InvalidRequest(e.to_string()).into_response();
1049    }
1050
1051    let user = sqlx::query!(
1052        "SELECT id, did, recovery_token, recovery_token_expires_at FROM users WHERE did = $1",
1053        input.did.as_str()
1054    )
1055    .fetch_optional(&state.db)
1056    .await;
1057
1058    let user = match user {
1059        Ok(Some(u)) => u,
1060        _ => {
1061            return ApiError::InvalidRecoveryLink.into_response();
1062        }
1063    };
1064
1065    let token_hash = match &user.recovery_token {
1066        Some(h) => h,
1067        None => {
1068            return ApiError::InvalidRecoveryLink.into_response();
1069        }
1070    };
1071
1072    if let Some(expires_at) = user.recovery_token_expires_at
1073        && expires_at < Utc::now()
1074    {
1075        return ApiError::RecoveryLinkExpired.into_response();
1076    }
1077
1078    if !bcrypt::verify(&input.recovery_token, token_hash).unwrap_or(false) {
1079        return ApiError::InvalidRecoveryLink.into_response();
1080    }
1081
1082    let password_hash = match hash(&input.new_password, DEFAULT_COST) {
1083        Ok(h) => h,
1084        Err(_) => {
1085            return ApiError::InternalError(None).into_response();
1086        }
1087    };
1088
1089    if let Err(e) = sqlx::query!(
1090        "UPDATE users SET password_hash = $1, password_required = TRUE, recovery_token = NULL, recovery_token_expires_at = NULL WHERE did = $2",
1091        password_hash,
1092        input.did.as_str()
1093    )
1094    .execute(&state.db)
1095    .await
1096    {
1097        error!("Error updating password: {:?}", e);
1098        return ApiError::InternalError(None).into_response();
1099    }
1100
1101    let deleted = sqlx::query!("DELETE FROM passkeys WHERE did = $1", input.did.as_str())
1102        .execute(&state.db)
1103        .await;
1104    match deleted {
1105        Ok(result) => {
1106            if result.rows_affected() > 0 {
1107                info!(did = %input.did, count = result.rows_affected(), "Deleted lost passkeys during account recovery");
1108            }
1109        }
1110        Err(e) => {
1111            warn!(did = %input.did, "Failed to delete passkeys during recovery: {:?}", e);
1112        }
1113    }
1114
1115    info!(did = %input.did, "Passkey-only account recovered with temporary password");
1116    SuccessResponse::ok().into_response()
1117}