TODO.md at 36f6be7ff15328de2a140b644354fcfc8c897e76 · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / TODO.md
at 36f6be7ff15328de2a140b644354fcfc8c897e76 7.0 kB view raw view rendered
  1# Lewis' Big Boy TODO list
  2
  3## Active development
  4
  5### Frontend
  6So like... make the thing unique, make it cool.
  7
  8- [ ] Frontpage that explains what this thing is
  9- [ ] Unique "brand" style both unauthed and authed
 10- [ ] Better documentation on how to sub out the entire frontend for whatever the users want
 11
 12### Passkeys and 2FA
 13Modern passwordless authentication using WebAuthn/FIDO2, plus TOTP for defense in depth.
 14
 15- [x] passkeys table (id, did, credential_id, public_key, sign_count, created_at, last_used, friendly_name)
 16- [x] user_totp table (did, secret_encrypted, verified, created_at, last_used)
 17- [x] WebAuthn registration challenge generation and attestation verification
 18- [x] TOTP secret generation with QR code setup flow
 19- [x] Backup codes (hashed, one-time use) with recovery flow
 20- [x] OAuth authorize flow: password -> 2FA (if enabled) -> passkey (as alternative)
 21- [ ] Passkey-only account creation (no password)
 22- [x] Settings UI for managing passkeys, TOTP, backup codes
 23- [ ] Trusted devices option (remember this browser)
 24- [x] Rate limit 2FA attempts
 25- [ ] Re-auth for sensitive actions (email change, adding new auth methods)
 26
 27### Delegated accounts
 28Accounts controlled by other accounts rather than having their own password. When logging in as a delegated account, OAuth asks you to authenticate with a linked controller account. Uses OAuth scopes as the permission model.
 29
 30- [ ] Account type flag in actors table (personal | delegated)
 31- [ ] account_delegations table (delegated_did, controller_did, granted_scopes[], granted_at, granted_by, revoked_at)
 32- [ ] Detect delegated account during authorize flow
 33- [ ] Redirect to "authenticate as controller" instead of password prompt
 34- [ ] Validate controller has delegation grant for this account
 35- [ ] Issue token with intersection of (requested scopes :intersection-emoji: granted scopes)
 36- [ ] Token includes act_as claim indicating delegation
 37- [ ] Define standard scope sets (owner, admin, editor, viewer)
 38- [ ] Create delegated account flow (no password, must add initial controller)
 39- [ ] Controller management page (add/remove controllers, modify scopes)
 40- [ ] "Act as" account switcher for users with delegation grants
 41- [ ] Log all actions with both actor DID and controller DID
 42- [ ] Audit log view for delegated account owners
 43
 44### Migration tool
 45Seamless account migration built into the UI, inspired by pdsmoover. Users shouldn't need external tools or brain surgery on half-done account states.
 46
 47- [ ] Add `migratingTo` parameter to `deactivateAccount` endpoint
 48- [ ] For self-hosted did:web users: set `migrated_to_pds`, update DID doc serviceEndpoint
 49- [ ] "Migrated" account state for self-hosted did:web: can authenticate but no repo operations
 50- [ ] Migrated did:web user UI: minimal dashboard with "update forwarding PDS" setting, or full migration wizard to handle PDS 2 -> PDS 3 moves automatically
 51- [ ] Outbound UI wizard: new PDS URL -> export repo -> guide account creation -> complete migration
 52- [ ] Inbound UI wizard: login to old PDS -> choose handle -> import -> PLC token flow
 53- [ ] Support `createAccount` with existing DID + service auth token
 54- [ ] Progress tracking with resume capability
 55- [ ] Scheduled automatic backups (CAR export)
 56- [ ] One-click restore from backup
 57
 58### Plugin system
 59Extensible architecture allowing third-party plugins to add functionality, like minecraft mods or browser extensions.
 60
 61- [ ] Research: survey Fabric/Forge, VS Code, Grafana, Caddy plugin architectures
 62- [ ] Evaluate rust approaches: WASM, dynamic linking, subprocess IPC, embedded scripting (Lua/Rhai)
 63- [ ] Define security model (sandboxing, permissions, resource limits)
 64- [ ] Plugin manifest format (name, version, deps, permissions, hooks)
 65- [ ] Plugin discovery, loading, lifecycle (enable/disable/hot reload)
 66- [ ] Error isolation (bad plugin shouldn't crash PDS)
 67- [ ] Extension points: request middleware, record lifecycle hooks, custom XRPC endpoints
 68- [ ] Extension points: custom lexicons, storage backends, auth providers, notification channels
 69- [ ] Extension points: firehose consumers (react to repo events)
 70- [ ] Plugin SDK crate with traits and helpers
 71- [ ] Example plugins: custom feed algorithm, content filter, S3 backup
 72- [ ] Plugin registry with signature verification and version compatibility
 73
 74### Plugin: Private/encrypted data
 75Records that only authorized parties can see and decrypt. Requires key federation between PDSes. Implemented as a plugin using the plugin system above.
 76
 77- [ ] Survey current ATProto discourse on private data
 78- [ ] Document Bluesky team's likely approach
 79- [ ] Design key management strategy
 80- [ ] Per-user encryption keys (separate from signing keys)
 81- [ ] Key derivation for per-record or per-collection encryption
 82- [ ] Encrypted record storage format
 83- [ ] Transparent encryption/decryption in repo operations
 84- [ ] Protocol for sharing decryption keys between PDSes
 85- [ ] Handle key rotation and revocation
 86
 87---
 88
 89## Completed
 90
 91Core ATProto: Health, describeServer, all session endpoints, full repo CRUD, applyWrites, blob upload, importRepo, firehose with cursor replay, CAR export, blob sync, crawler notifications, handle resolution, PLC operations, full admin API, moderation reports.
 92
 93did:web support: Self-hosted did:web (subdomain format `did:web:handle.pds.com`), external/BYOD did:web, DID document serving via `/.well-known/did.json`, migration tracking for did:web users who leave (serviceEndpoint redirect), clear registration warnings about did:web trade-offs vs did:plc.
 94
 95OAuth 2.1: Authorization server metadata, JWKS, PAR, authorize endpoint with login UI, token endpoint (auth code + refresh), revocation, introspection, DPoP, PKCE S256, client metadata validation, private_key_jwt verification.
 96
 97OAuth Scope Enforcement: Full granular scope system with consent UI, human-readable scope descriptions, per-client scope preferences, scope parsing (repo/blob/rpc/account/identity), endpoint-level scope checks, DPoP token support in auth extractors, token revocation on re-authorization, response_mode support (query/fragment).
 98
 99App endpoints: getPreferences, putPreferences, getProfile, getProfiles, getTimeline, getAuthorFeed, getActorLikes, getPostThread, getFeed, registerPush (all with local-first + proxy fallback).
100
101Infrastructure: Sequencer with cursor replay, postgres repo storage with atomic transactions, valkey DID cache, debounced crawler notifications with circuit breakers, multi-channel notifications (email/Discord/Telegram/Signal), image processing, distributed rate limiting, security hardening.
102
103Web UI: OAuth login, registration, email verification, password reset, multi-account selector, dashboard, sessions, app passwords, invites, notification preferences, repo browser, CAR export, admin panel, OAuth consent screen with scope selection.
104
105Auth: ES256K + HS256 dual support, JTI-only token storage, refresh token family tracking, encrypted signing keys (AES-256-GCM), DPoP replay protection, constant-time comparisons.