+1

frontend/src/lib/api.ts

··· 266 266 inviteCodeRequired: boolean 267 267 links?: { privacyPolicy?: string; termsOfService?: string } 268 268 version?: string 269 269 + availableCommsChannels?: string[] 269 270 }> { 270 271 return xrpc('com.atproto.server.describeServer') 271 272 },

+2

frontend/src/locales/en.json

··· 96 96 "signalNumber": "Signal Phone Number", 97 97 "signalNumberPlaceholder": "+1234567890", 98 98 "signalNumberHint": "Include country code (e.g., +1 for US)", 99 99 + "notConfigured": "not configured", 99 100 "inviteCode": "Invite Code", 100 101 "inviteCodePlaceholder": "Enter your invite code", 101 102 "inviteCodeRequired": "required", ··· 388 389 "telegramVia": "Receive messages via Telegram", 389 390 "signalVia": "Receive messages via Signal", 390 391 "configureToEnable": "Configure below to enable", 392 392 + "notConfiguredOnServer": "Not configured on this server", 391 393 "emailManagedInSettings": "Your email is managed in Account Settings", 392 394 "discordIdHint": "Your Discord user ID (not username). Enable Developer Mode in Discord to copy it.", 393 395 "telegramHint": "Your Telegram username without the @ symbol",

+2

frontend/src/locales/fi.json

··· 96 96 "signalNumber": "Signal-puhelinnumero", 97 97 "signalNumberPlaceholder": "+358401234567", 98 98 "signalNumberHint": "Sisällytä maakoodi (esim. +358 Suomelle)", 99 99 + "notConfigured": "ei määritetty", 99 100 "inviteCode": "Kutsukoodi", 100 101 "inviteCodePlaceholder": "Syötä kutsukoodisi", 101 102 "inviteCodeRequired": "vaaditaan", ··· 388 389 "telegramVia": "Vastaanota viestejä Telegramissa", 389 390 "signalVia": "Vastaanota viestejä Signalissa", 390 391 "configureToEnable": "Määritä alla ottaaksesi käyttöön", 392 392 + "notConfiguredOnServer": "Ei määritetty tällä palvelimella", 391 393 "emailManagedInSettings": "Sähköpostisi hallinnoidaan Tilin asetuksissa", 392 394 "discordIdHint": "Discord-käyttäjätunnuksesi (ei käyttäjänimi). Ota Kehittäjätila käyttöön Discordissa kopioidaksesi sen.", 393 395 "telegramHint": "Telegram-käyttäjänimesi ilman @-merkkiä",

+2

frontend/src/locales/ja.json

··· 96 96 "signalNumber": "Signal 電話番号", 97 97 "signalNumberPlaceholder": "+81XXXXXXXXXX", 98 98 "signalNumberHint": "国番号を含めてください（例: 日本は +81）", 99 99 + "notConfigured": "未設定", 99 100 "inviteCode": "招待コード", 100 101 "inviteCodePlaceholder": "招待コードを入力", 101 102 "inviteCodeRequired": "必須", ··· 388 389 "telegramVia": "Telegram でメッセージを受信", 389 390 "signalVia": "Signal でメッセージを受信", 390 391 "configureToEnable": "有効にするには下記で設定", 392 392 + "notConfiguredOnServer": "このサーバーでは設定されていません", 391 393 "emailManagedInSettings": "メールはアカウント設定で管理されています", 392 394 "discordIdHint": "Discord ユーザー ID（ユーザー名ではありません）。Discord で開発者モードを有効にしてコピーしてください。", 393 395 "telegramHint": "@ 記号なしの Telegram ユーザー名",

+2

frontend/src/locales/ko.json

··· 96 96 "signalNumber": "Signal 전화번호", 97 97 "signalNumberPlaceholder": "+821012345678", 98 98 "signalNumberHint": "국가 코드 포함 (예: 한국 +82)", 99 99 + "notConfigured": "구성되지 않음", 99 100 "inviteCode": "초대 코드", 100 101 "inviteCodePlaceholder": "초대 코드 입력", 101 102 "inviteCodeRequired": "필수", ··· 388 389 "telegramVia": "Telegram으로 메시지 받기", 389 390 "signalVia": "Signal로 메시지 받기", 390 391 "configureToEnable": "활성화하려면 아래에서 설정", 392 392 + "notConfiguredOnServer": "이 서버에서 설정되지 않음", 391 393 "emailManagedInSettings": "이메일은 계정 설정에서 관리됩니다", 392 394 "discordIdHint": "Discord 사용자 ID (사용자 이름 아님). Discord에서 개발자 모드를 활성화하여 복사하세요.", 393 395 "telegramHint": "@ 기호 없이 Telegram 사용자 이름",

+2

frontend/src/locales/sv.json

··· 96 96 "signalNumber": "Signal-telefonnummer", 97 97 "signalNumberPlaceholder": "+46701234567", 98 98 "signalNumberHint": "Inkludera landskod (t.ex. +46 för Sverige)", 99 99 + "notConfigured": "ej konfigurerad", 99 100 "inviteCode": "Inbjudningskod", 100 101 "inviteCodePlaceholder": "Ange din inbjudningskod", 101 102 "inviteCodeRequired": "krävs", ··· 388 389 "telegramVia": "Ta emot meddelanden via Telegram", 389 390 "signalVia": "Ta emot meddelanden via Signal", 390 391 "configureToEnable": "Konfigurera nedan för att aktivera", 392 392 + "notConfiguredOnServer": "Inte konfigurerat på denna server", 391 393 "emailManagedInSettings": "Din e-post hanteras i Kontoinställningar", 392 394 "discordIdHint": "Ditt Discord användar-ID (inte användarnamn). Aktivera Utvecklarläge i Discord för att kopiera det.", 393 395 "telegramHint": "Ditt Telegram-användarnamn utan @-symbolen",

+2

frontend/src/locales/zh.json

··· 96 96 "signalNumber": "Signal 电话号码", 97 97 "signalNumberPlaceholder": "+1234567890", 98 98 "signalNumberHint": "包含国家代码（例如中国为 +86）", 99 99 + "notConfigured": "未配置", 99 100 "inviteCode": "邀请码", 100 101 "inviteCodePlaceholder": "输入您的邀请码", 101 102 "inviteCodeRequired": "必填", ··· 388 389 "telegramVia": "通过 Telegram 接收消息", 389 390 "signalVia": "通过 Signal 接收消息", 390 391 "configureToEnable": "请先在下方配置", 392 392 + "notConfiguredOnServer": "此服务器未配置", 391 393 "emailManagedInSettings": "邮箱在账户设置中管理", 392 394 "discordIdHint": "您的 Discord 数字用户 ID（非用户名）。在 Discord 中开启开发者模式即可复制。", 393 395 "telegramHint": "您的 Telegram 用户名，不含 @ 符号",

+47 -12

frontend/src/routes/Comms.svelte

··· 10 10 let error = $state<string | null>(null) 11 11 let success = $state<string | null>(null) 12 12 let preferredChannel = $state('email') 13 13 + let availableCommsChannels = $state<string[]>(['email']) 13 14 let email = $state('') 14 15 let discordId = $state('') 15 16 let discordVerified = $state(false) ··· 47 48 loading = true 48 49 error = null 49 50 try { 50 50 - const prefs = await api.getNotificationPrefs(auth.session.accessJwt) 51 51 + const [prefs, serverInfo] = await Promise.all([ 52 52 + api.getNotificationPrefs(auth.session.accessJwt), 53 53 + api.describeServer() 54 54 + ]) 51 55 preferredChannel = prefs.preferredChannel 52 56 email = prefs.email 53 57 discordId = prefs.discordId ?? '' ··· 56 60 telegramVerified = prefs.telegramVerified 57 61 signalNumber = prefs.signalNumber ?? '' 58 62 signalVerified = prefs.signalVerified 63 63 + availableCommsChannels = serverInfo.availableCommsChannels ?? ['email'] 59 64 } catch (e) { 60 65 error = e instanceof ApiError ? e.message : 'Failed to load notification preferences' 61 66 } finally { ··· 135 140 default: return '' 136 141 } 137 142 } 143 143 + function isChannelAvailableOnServer(channelId: string): boolean { 144 144 + return availableCommsChannels.includes(channelId) 145 145 + } 138 146 function canSelectChannel(channelId: string): boolean { 147 147 + if (!isChannelAvailableOnServer(channelId)) return false 139 148 if (channelId === 'email') return true 140 149 if (channelId === 'discord') return !!discordId 141 150 if (channelId === 'telegram') return !!telegramUsername ··· 174 183 </p> 175 184 <div class="channel-options"> 176 185 {#each channels as channelId} 177 177 - <label class="channel-option" class:disabled={!canSelectChannel(channelId)}> 186 186 + <label class="channel-option" class:disabled={!canSelectChannel(channelId)} class:unavailable={!isChannelAvailableOnServer(channelId)}> 178 187 <input 179 188 type="radio" 180 189 name="preferredChannel" ··· 185 194 <div class="channel-info"> 186 195 <span class="channel-name">{getChannelName(channelId)}</span> 187 196 <span class="channel-description">{getChannelDescription(channelId)}</span> 188 188 - {#if channelId !== 'email' && !canSelectChannel(channelId)} 197 197 + {#if !isChannelAvailableOnServer(channelId)} 198 198 + <span class="channel-hint server-unavailable">{$_('comms.notConfiguredOnServer')}</span> 199 199 + {:else if channelId !== 'email' && !canSelectChannel(channelId)} 189 200 <span class="channel-hint">{$_('comms.configureToEnable')}</span> 190 201 {/if} 191 202 </div> ··· 210 221 </div> 211 222 <p class="config-hint">{$_('comms.emailManagedInSettings')}</p> 212 223 </div> 213 213 - <div class="config-item"> 224 224 + <div class="config-item" class:unavailable={!isChannelAvailableOnServer('discord')}> 214 225 <label for="discord">{$_('register.discordId')}</label> 215 226 <div class="config-input"> 216 227 <input ··· 218 229 type="text" 219 230 bind:value={discordId} 220 231 placeholder={$_('register.discordIdPlaceholder')} 221 221 - disabled={saving} 232 232 + disabled={saving || !isChannelAvailableOnServer('discord')} 222 233 /> 223 223 - {#if discordId} 234 234 + {#if !isChannelAvailableOnServer('discord')} 235 235 + <span class="status unavailable">{$_('comms.notConfiguredOnServer')}</span> 236 236 + {:else if discordId} 224 237 {#if discordVerified} 225 238 <span class="status verified">{$_('comms.verified')}</span> 226 239 {:else} ··· 243 256 </div> 244 257 {/if} 245 258 </div> 246 246 - <div class="config-item"> 259 259 + <div class="config-item" class:unavailable={!isChannelAvailableOnServer('telegram')}> 247 260 <label for="telegram">{$_('register.telegramUsername')}</label> 248 261 <div class="config-input"> 249 262 <input ··· 251 264 type="text" 252 265 bind:value={telegramUsername} 253 266 placeholder={$_('register.telegramUsernamePlaceholder')} 254 254 - disabled={saving} 267 267 + disabled={saving || !isChannelAvailableOnServer('telegram')} 255 268 /> 256 256 - {#if telegramUsername} 269 269 + {#if !isChannelAvailableOnServer('telegram')} 270 270 + <span class="status unavailable">{$_('comms.notConfiguredOnServer')}</span> 271 271 + {:else if telegramUsername} 257 272 {#if telegramVerified} 258 273 <span class="status verified">{$_('comms.verified')}</span> 259 274 {:else} ··· 276 291 </div> 277 292 {/if} 278 293 </div> 279 279 - <div class="config-item"> 294 294 + <div class="config-item" class:unavailable={!isChannelAvailableOnServer('signal')}> 280 295 <label for="signal">{$_('register.signalNumber')}</label> 281 296 <div class="config-input"> 282 297 <input ··· 284 299 type="tel" 285 300 bind:value={signalNumber} 286 301 placeholder={$_('register.signalNumberPlaceholder')} 287 287 - disabled={saving} 302 302 + disabled={saving || !isChannelAvailableOnServer('signal')} 288 303 /> 289 289 - {#if signalNumber} 304 304 + {#if !isChannelAvailableOnServer('signal')} 305 305 + <span class="status unavailable">{$_('comms.notConfiguredOnServer')}</span> 306 306 + {:else if signalNumber} 290 307 {#if signalVerified} 291 308 <span class="status verified">{$_('comms.verified')}</span> 292 309 {:else} ··· 439 456 cursor: not-allowed; 440 457 } 441 458 459 459 + .channel-option.unavailable { 460 460 + opacity: 0.5; 461 461 + background: var(--bg-input-disabled); 462 462 + } 463 463 + 442 464 .channel-option input[type="radio"] { 443 465 flex-shrink: 0; 444 466 width: 16px; ··· 467 489 font-size: var(--text-xs); 468 490 color: var(--text-muted); 469 491 font-style: italic; 492 492 + } 493 493 + 494 494 + .channel-hint.server-unavailable { 495 495 + color: var(--warning-text); 470 496 } 471 497 472 498 .channel-config { ··· 481 507 gap: var(--space-1); 482 508 } 483 509 510 510 + .config-item.unavailable { 511 511 + opacity: 0.6; 512 512 + } 513 513 + 484 514 .config-item label { 485 515 font-size: var(--text-sm); 486 516 font-weight: var(--font-medium); ··· 516 546 .status.unverified { 517 547 background: var(--warning-bg); 518 548 color: var(--warning-text); 549 549 + } 550 550 + 551 551 + .status.unavailable { 552 552 + background: var(--bg-input-disabled); 553 553 + color: var(--text-muted); 519 554 } 520 555 521 556 .config-hint {

+3 -3

frontend/src/routes/Home.svelte

··· 153 153 154 154 <h2>Works with everything</h2> 155 155 156 156 - <p>Use any ATProto app you already like. Tranquil PDS speaks the same language as Bluesky's servers, so all your favorite clients, tools, and bots just work.</p> 156 156 + <p>Use any ATProto app you already like. Tranquil PDS speaks the same language as Bluesky's servers, so all your favorite clients and tools just work.</p> 157 157 158 158 <h2>Ready to try it?</h2> 159 159 ··· 170 170 </section> 171 171 172 172 <footer class="site-footer"> 173 173 - <span>Open Source</span> 174 174 - <span>Made with patience</span> 173 173 + <span>Made by people who don't take themselves too seriously</span> 174 174 + <span>Open Source: issues & PRs welcome</span> 175 175 </footer> 176 176 </div> 177 177

+1 -1

frontend/src/routes/Login.svelte

··· 144 144 </button> 145 145 146 146 <p class="link-text"> 147 147 - {$_('login.noAccount')} <a href="#/register">{$_('login.createAcount')}</a> 147 147 + {$_('login.noAccount')} <a href="#/register">{$_('login.createAccount')}</a> 148 148 </p> 149 149 150 150 {:else}

+15 -3

frontend/src/routes/Register.svelte

··· 22 22 let serverInfo = $state<{ 23 23 availableUserDomains: string[] 24 24 inviteCodeRequired: boolean 25 25 + availableCommsChannels?: string[] 25 26 } | null>(null) 26 27 let loadingServerInfo = $state(true) 27 28 let serverInfoLoaded = false ··· 46 47 } 47 48 48 49 let handleHasDot = $derived(handle.includes('.')) 50 50 + 51 51 + function isChannelAvailable(channel: string): boolean { 52 52 + const available = serverInfo?.availableCommsChannels ?? ['email'] 53 53 + return available.includes(channel) 54 54 + } 49 55 50 56 function validateForm(): string | null { 51 57 if (!handle.trim()) return $_('register.validation.handleRequired') ··· 262 268 <label for="verification-channel">{$_('register.verificationMethod')}</label> 263 269 <select id="verification-channel" bind:value={verificationChannel} disabled={submitting}> 264 270 <option value="email">{$_('register.email')}</option> 265 265 - <option value="discord">{$_('register.discord')}</option> 266 266 - <option value="telegram">{$_('register.telegram')}</option> 267 267 - <option value="signal">{$_('register.signal')}</option> 271 271 + <option value="discord" disabled={!isChannelAvailable('discord')}> 272 272 + {$_('register.discord')}{isChannelAvailable('discord') ? '' : ` (${$_('register.notConfigured')})`} 273 273 + </option> 274 274 + <option value="telegram" disabled={!isChannelAvailable('telegram')}> 275 275 + {$_('register.telegram')}{isChannelAvailable('telegram') ? '' : ` (${$_('register.notConfigured')})`} 276 276 + </option> 277 277 + <option value="signal" disabled={!isChannelAvailable('signal')}> 278 278 + {$_('register.signal')}{isChannelAvailable('signal') ? '' : ` (${$_('register.notConfigured')})`} 279 279 + </option> 268 280 </select> 269 281 </div> 270 282

+15 -4

frontend/src/routes/RegisterPasskey.svelte

··· 19 19 let passkeyName = $state('') 20 20 let submitting = $state(false) 21 21 let error = $state<string | null>(null) 22 22 - let serverInfo = $state<{ availableUserDomains: string[]; inviteCodeRequired: boolean } | null>(null) 22 22 + let serverInfo = $state<{ availableUserDomains: string[]; inviteCodeRequired: boolean; availableCommsChannels?: string[] } | null>(null) 23 23 let loadingServerInfo = $state(true) 24 24 let serverInfoLoaded = false 25 25 ··· 289 289 } 290 290 } 291 291 292 292 + function isChannelAvailable(ch: string): boolean { 293 293 + const available = serverInfo?.availableCommsChannels ?? ['email'] 294 294 + return available.includes(ch) 295 295 + } 296 296 + 292 297 function goToLogin() { 293 298 navigate('/login') 294 299 } ··· 363 368 <label for="verification-channel">Verification Method</label> 364 369 <select id="verification-channel" bind:value={verificationChannel} disabled={submitting}> 365 370 <option value="email">Email</option> 366 366 - <option value="discord">Discord</option> 367 367 - <option value="telegram">Telegram</option> 368 368 - <option value="signal">Signal</option> 371 371 + <option value="discord" disabled={!isChannelAvailable('discord')}> 372 372 + Discord{isChannelAvailable('discord') ? '' : ` (${$_('register.notConfigured')})`} 373 373 + </option> 374 374 + <option value="telegram" disabled={!isChannelAvailable('telegram')}> 375 375 + Telegram{isChannelAvailable('telegram') ? '' : ` (${$_('register.notConfigured')})`} 376 376 + </option> 377 377 + <option value="signal" disabled={!isChannelAvailable('signal')}> 378 378 + Signal{isChannelAvailable('signal') ? '' : ` (${$_('register.notConfigured')})`} 379 379 + </option> 369 380 </select> 370 381 </div> 371 382 {#if verificationChannel === 'email'}

+34 -19

src/api/identity/account.rs

··· 122 122 && input 123 123 .did 124 124 .as_ref() 125 125 - .map(|d| d.starts_with("did:plc:")) 125 125 + .map(|d| d.starts_with("did:plc:") || d.starts_with("did:web:")) 126 126 + .unwrap_or(false); 127 127 + 128 128 + let is_did_web_byod = migration_auth.is_some() 129 129 + && input 130 130 + .did 131 131 + .as_ref() 132 132 + .map(|d| d.starts_with("did:web:")) 126 133 .unwrap_or(false); 127 134 128 135 if is_migration { ··· 138 145 ) 139 146 .into_response(); 140 147 } 141 141 - info!(did = %migration_did, "Processing account migration"); 148 148 + if is_did_web_byod { 149 149 + info!(did = %migration_did, "Processing did:web BYOD account creation"); 150 150 + } else { 151 151 + info!(did = %migration_did, "Processing account migration"); 152 152 + } 142 153 } 143 154 } 144 155 ··· 337 348 ) 338 349 .into_response(); 339 350 } 340 340 - if let Err(e) = 341 341 - verify_did_web(d, &hostname, &input.handle, input.signing_key.as_deref()).await 342 342 - { 343 343 - return ( 344 344 - StatusCode::BAD_REQUEST, 345 345 - Json(json!({"error": "InvalidDid", "message": e})), 346 346 - ) 347 347 - .into_response(); 351 351 + if !is_did_web_byod { 352 352 + if let Err(e) = 353 353 + verify_did_web(d, &hostname, &input.handle, input.signing_key.as_deref()).await 354 354 + { 355 355 + return ( 356 356 + StatusCode::BAD_REQUEST, 357 357 + Json(json!({"error": "InvalidDid", "message": e})), 358 358 + ) 359 359 + .into_response(); 360 360 + } 348 361 } 349 362 info!(did = %d, "Creating external did:web account"); 350 363 d.clone() ··· 355 368 info!(did = %d, "Migration with existing did:plc"); 356 369 d.clone() 357 370 } else if d.starts_with("did:web:") { 358 358 - if let Err(e) = 359 359 - verify_did_web(d, &hostname, &input.handle, input.signing_key.as_deref()) 360 360 - .await 361 361 - { 362 362 - return ( 363 363 - StatusCode::BAD_REQUEST, 364 364 - Json(json!({"error": "InvalidDid", "message": e})), 365 365 - ) 366 366 - .into_response(); 371 371 + if !is_did_web_byod { 372 372 + if let Err(e) = 373 373 + verify_did_web(d, &hostname, &input.handle, input.signing_key.as_deref()) 374 374 + .await 375 375 + { 376 376 + return ( 377 377 + StatusCode::BAD_REQUEST, 378 378 + Json(json!({"error": "InvalidDid", "message": e})), 379 379 + ) 380 380 + .into_response(); 381 381 + } 367 382 } 368 383 d.clone() 369 384 } else if !d.trim().is_empty() {

+17 -1

src/api/server/meta.rs

··· 2 2 use axum::{Json, extract::State, http::StatusCode, response::IntoResponse}; 3 3 use serde_json::json; 4 4 use tracing::error; 5 5 + 6 6 + fn get_available_comms_channels() -> Vec<&'static str> { 7 7 + let mut channels = vec!["email"]; 8 8 + if std::env::var("DISCORD_WEBHOOK_URL").is_ok() { 9 9 + channels.push("discord"); 10 10 + } 11 11 + if std::env::var("TELEGRAM_BOT_TOKEN").is_ok() { 12 12 + channels.push("telegram"); 13 13 + } 14 14 + if std::env::var("SIGNAL_CLI_PATH").is_ok() && std::env::var("SIGNAL_SENDER_NUMBER").is_ok() { 15 15 + channels.push("signal"); 16 16 + } 17 17 + channels 18 18 + } 19 19 + 5 20 pub async fn robots_txt() -> impl IntoResponse { 6 21 ( 7 22 StatusCode::OK, ··· 21 36 "availableUserDomains": domains, 22 37 "inviteCodeRequired": invite_code_required, 23 38 "did": format!("did:web:{}", pds_hostname), 24 24 - "version": env!("CARGO_PKG_VERSION") 39 39 + "version": env!("CARGO_PKG_VERSION"), 40 40 + "availableCommsChannels": get_available_comms_channels() 25 41 })) 26 42 } 27 43 pub async fn health(State(state): State<AppState>) -> impl IntoResponse {

+9 -8

src/auth/service.rs

··· 229 229 .strip_prefix("did:web:") 230 230 .ok_or_else(|| anyhow!("Invalid did:web format"))?; 231 231 232 232 - let decoded_host = host.replace("%3A", ":"); 233 233 - let (host_part, path_part) = if let Some(idx) = decoded_host.find('/') { 234 234 - (&decoded_host[..idx], &decoded_host[idx..]) 235 235 - } else { 236 236 - (decoded_host.as_str(), "") 237 237 - }; 232 232 + let parts: Vec<&str> = host.split(':').collect(); 233 233 + if parts.is_empty() { 234 234 + return Err(anyhow!("Invalid did:web format - no host")); 235 235 + } 236 236 + 237 237 + let host_part = parts[0].replace("%3A", ":"); 238 238 239 239 let scheme = if host_part.starts_with("localhost") 240 240 || host_part.starts_with("127.0.0.1") ··· 245 245 "https" 246 246 }; 247 247 248 248 - let url = if path_part.is_empty() { 248 248 + let url = if parts.len() == 1 { 249 249 format!("{}://{}/.well-known/did.json", scheme, host_part) 250 250 } else { 251 251 - format!("{}://{}{}/did.json", scheme, host_part, path_part) 251 251 + let path = parts[1..].join("/"); 252 252 + format!("{}://{}/{}/did.json", scheme, host_part, path) 252 253 }; 253 254 254 255 debug!("Resolving did:web {} via {}", did, url);

+193

tests/did_web.rs

··· 1 1 mod common; 2 2 + use base64::engine::general_purpose::URL_SAFE_NO_PAD; 3 3 + use base64::Engine; 2 4 use common::*; 5 5 + use k256::ecdsa::{SigningKey, signature::Signer}; 3 6 use reqwest::StatusCode; 4 7 use serde_json::{Value, json}; 5 8 use wiremock::matchers::{method, path}; ··· 348 351 body 349 352 ); 350 353 } 354 354 + 355 355 + fn signing_key_to_multibase(signing_key: &SigningKey) -> String { 356 356 + let verifying_key = signing_key.verifying_key(); 357 357 + let compressed = verifying_key.to_sec1_bytes(); 358 358 + let mut multicodec = vec![0xe7, 0x01]; 359 359 + multicodec.extend_from_slice(&compressed); 360 360 + multibase::encode(multibase::Base::Base58Btc, &multicodec) 361 361 + } 362 362 + 363 363 + fn create_service_jwt(signing_key: &SigningKey, did: &str, aud: &str) -> String { 364 364 + let header = json!({"alg": "ES256K", "typ": "jwt"}); 365 365 + let now = chrono::Utc::now().timestamp() as usize; 366 366 + let claims = json!({ 367 367 + "iss": did, 368 368 + "sub": did, 369 369 + "aud": aud, 370 370 + "exp": now + 300, 371 371 + "iat": now, 372 372 + "lxm": "com.atproto.server.createAccount", 373 373 + "jti": uuid::Uuid::new_v4().to_string() 374 374 + }); 375 375 + let header_b64 = URL_SAFE_NO_PAD.encode(header.to_string()); 376 376 + let claims_b64 = URL_SAFE_NO_PAD.encode(claims.to_string()); 377 377 + let message = format!("{}.{}", header_b64, claims_b64); 378 378 + let signature: k256::ecdsa::Signature = signing_key.sign(message.as_bytes()); 379 379 + let sig_b64 = URL_SAFE_NO_PAD.encode(signature.to_bytes()); 380 380 + format!("{}.{}", message, sig_b64) 381 381 + } 382 382 + 383 383 + #[tokio::test] 384 384 + async fn test_did_web_byod_flow() { 385 385 + let client = client(); 386 386 + let mock_server = MockServer::start().await; 387 387 + let mock_uri = mock_server.uri(); 388 388 + let mock_addr = mock_uri.trim_start_matches("http://"); 389 389 + let unique_id = uuid::Uuid::new_v4().to_string().replace("-", ""); 390 390 + let did = format!("did:web:{}:byod:{}", mock_addr.replace(":", "%3A"), unique_id); 391 391 + let handle = format!("byod_{}", uuid::Uuid::new_v4()); 392 392 + let pds_endpoint = base_url().await.replace("http://", "https://"); 393 393 + let pds_did = format!( 394 394 + "did:web:{}", 395 395 + pds_endpoint.trim_start_matches("https://") 396 396 + ); 397 397 + 398 398 + let temp_key = SigningKey::random(&mut rand::thread_rng()); 399 399 + let public_key_multibase = signing_key_to_multibase(&temp_key); 400 400 + 401 401 + let did_doc = json!({ 402 402 + "@context": ["https://www.w3.org/ns/did/v1"], 403 403 + "id": did, 404 404 + "verificationMethod": [{ 405 405 + "id": format!("{}#atproto", did), 406 406 + "type": "Multikey", 407 407 + "controller": did, 408 408 + "publicKeyMultibase": public_key_multibase 409 409 + }], 410 410 + "service": [{ 411 411 + "id": "#atproto_pds", 412 412 + "type": "AtprotoPersonalDataServer", 413 413 + "serviceEndpoint": pds_endpoint 414 414 + }] 415 415 + }); 416 416 + Mock::given(method("GET")) 417 417 + .and(path(format!("/byod/{}/did.json", unique_id))) 418 418 + .respond_with(ResponseTemplate::new(200).set_body_json(&did_doc)) 419 419 + .mount(&mock_server) 420 420 + .await; 421 421 + 422 422 + let service_jwt = create_service_jwt(&temp_key, &did, &pds_did); 423 423 + let payload = json!({ 424 424 + "handle": handle, 425 425 + "email": format!("{}@example.com", handle), 426 426 + "password": "Testpass123!", 427 427 + "did": did 428 428 + }); 429 429 + let res = client 430 430 + .post(format!( 431 431 + "{}/xrpc/com.atproto.server.createAccount", 432 432 + base_url().await 433 433 + )) 434 434 + .header("Authorization", format!("Bearer {}", service_jwt)) 435 435 + .json(&payload) 436 436 + .send() 437 437 + .await 438 438 + .expect("Failed to send request"); 439 439 + if res.status() != StatusCode::OK { 440 440 + let body: Value = res.json().await.unwrap_or(json!({"error": "parse failed"})); 441 441 + panic!("createAccount BYOD failed: {:?}", body); 442 442 + } 443 443 + let body: Value = res.json().await.expect("Response was not JSON"); 444 444 + let returned_did = body["did"].as_str().expect("No DID in response"); 445 445 + assert_eq!(returned_did, did, "Returned DID should match requested DID"); 446 446 + let access_jwt = body["accessJwt"] 447 447 + .as_str() 448 448 + .expect("No accessJwt in response"); 449 449 + 450 450 + let res = client 451 451 + .get(format!( 452 452 + "{}/xrpc/com.atproto.server.checkAccountStatus", 453 453 + base_url().await 454 454 + )) 455 455 + .bearer_auth(access_jwt) 456 456 + .send() 457 457 + .await 458 458 + .expect("Failed to check account status"); 459 459 + assert_eq!(res.status(), StatusCode::OK); 460 460 + let status: Value = res.json().await.expect("Response was not JSON"); 461 461 + assert_eq!( 462 462 + status["activated"], false, 463 463 + "BYOD account should be deactivated initially" 464 464 + ); 465 465 + 466 466 + let res = client 467 467 + .get(format!( 468 468 + "{}/xrpc/com.atproto.identity.getRecommendedDidCredentials", 469 469 + base_url().await 470 470 + )) 471 471 + .bearer_auth(access_jwt) 472 472 + .send() 473 473 + .await 474 474 + .expect("Failed to get recommended credentials"); 475 475 + assert_eq!(res.status(), StatusCode::OK); 476 476 + let creds: Value = res.json().await.expect("Response was not JSON"); 477 477 + assert!( 478 478 + creds["verificationMethods"]["atproto"].is_string(), 479 479 + "Should return PDS signing key" 480 480 + ); 481 481 + let pds_signing_key = creds["verificationMethods"]["atproto"] 482 482 + .as_str() 483 483 + .expect("No atproto verification method"); 484 484 + assert!( 485 485 + pds_signing_key.starts_with("did:key:"), 486 486 + "PDS signing key should be did:key format" 487 487 + ); 488 488 + 489 489 + let res = client 490 490 + .post(format!( 491 491 + "{}/xrpc/com.atproto.server.activateAccount", 492 492 + base_url().await 493 493 + )) 494 494 + .bearer_auth(access_jwt) 495 495 + .send() 496 496 + .await 497 497 + .expect("Failed to activate account"); 498 498 + assert_eq!( 499 499 + res.status(), 500 500 + StatusCode::OK, 501 501 + "activateAccount should succeed" 502 502 + ); 503 503 + 504 504 + let res = client 505 505 + .get(format!( 506 506 + "{}/xrpc/com.atproto.server.checkAccountStatus", 507 507 + base_url().await 508 508 + )) 509 509 + .bearer_auth(access_jwt) 510 510 + .send() 511 511 + .await 512 512 + .expect("Failed to check account status"); 513 513 + assert_eq!(res.status(), StatusCode::OK); 514 514 + let status: Value = res.json().await.expect("Response was not JSON"); 515 515 + assert_eq!( 516 516 + status["activated"], true, 517 517 + "Account should be activated after activateAccount call" 518 518 + ); 519 519 + 520 520 + let res = client 521 521 + .post(format!( 522 522 + "{}/xrpc/com.atproto.repo.createRecord", 523 523 + base_url().await 524 524 + )) 525 525 + .bearer_auth(access_jwt) 526 526 + .json(&json!({ 527 527 + "repo": did, 528 528 + "collection": "app.bsky.feed.post", 529 529 + "record": { 530 530 + "$type": "app.bsky.feed.post", 531 531 + "text": "Hello from BYOD did:web!", 532 532 + "createdAt": chrono::Utc::now().to_rfc3339() 533 533 + } 534 534 + })) 535 535 + .send() 536 536 + .await 537 537 + .expect("Failed to create post"); 538 538 + assert_eq!( 539 539 + res.status(), 540 540 + StatusCode::OK, 541 541 + "Activated BYOD account should be able to create records" 542 542 + ); 543 543 + }