+6

crates/common/src/error.rs

··· 21 21 WeakPassword, 22 22 RateLimited, 23 23 ExportInProgress, 24 24 + ServiceUnavailable, 25 25 + InternalError, 24 26 /// Returned for any XRPC NSID that has no registered handler. 25 27 /// 26 28 /// Serialized as `"MethodNotImplemented"` (PascalCase) to match the AT Protocol XRPC ··· 51 53 ErrorCode::WeakPassword => 422, 52 54 ErrorCode::RateLimited => 429, 53 55 ErrorCode::ExportInProgress => 503, 56 56 + ErrorCode::ServiceUnavailable => 503, 57 57 + ErrorCode::InternalError => 500, 54 58 ErrorCode::MethodNotImplemented => 501, 55 59 } 56 60 } ··· 196 200 (ErrorCode::WeakPassword, 422), 197 201 (ErrorCode::RateLimited, 429), 198 202 (ErrorCode::ExportInProgress, 503), 203 203 + (ErrorCode::ServiceUnavailable, 503), 204 204 + (ErrorCode::InternalError, 500), 199 205 (ErrorCode::MethodNotImplemented, 501), 200 206 ]; 201 207 for (code, expected) in cases {

+1

crates/relay/Cargo.toml

··· 26 26 tower-http = { workspace = true } 27 27 serde = { workspace = true } 28 28 sqlx = { workspace = true } 29 29 + crypto = { workspace = true } 29 30 30 31 [dev-dependencies] 31 32 tower = { workspace = true }

+8 -1

crates/relay/src/app.rs

··· 1 1 use std::sync::Arc; 2 2 3 3 - use axum::{extract::Path, http::Request, routing::get, Router}; 3 3 + use axum::{ 4 4 + extract::Path, 5 5 + http::Request, 6 6 + routing::{get, post}, 7 7 + Router, 8 8 + }; 4 9 use common::{ApiError, Config, ErrorCode}; 5 10 use opentelemetry::propagation::Extractor; 6 11 use tower_http::{cors::CorsLayer, trace::TraceLayer}; 7 12 use tracing_opentelemetry::OpenTelemetrySpanExt; 8 13 14 14 + use crate::routes::create_signing_key::create_signing_key; 9 15 use crate::routes::describe_server::describe_server; 10 16 use crate::routes::health::health; 11 17 ··· 80 86 get(describe_server), 81 87 ) 82 88 .route("/xrpc/:method", get(xrpc_handler).post(xrpc_handler)) 89 89 + .route("/v1/relay/keys", post(create_signing_key)) 83 90 .layer(CorsLayer::permissive()) 84 91 .layer(TraceLayer::new_for_http().make_span_with(OtelMakeSpan)) 85 92 .with_state(state)

+417

crates/relay/src/routes/create_signing_key.rs

··· 1 1 + // pattern: Imperative Shell 2 2 + // 3 3 + // Gathers: Bearer token from Authorization header, JSON request body, config, DB pool 4 4 + // Processes: auth check → algorithm check → master key check → key generation → encryption → DB insert 5 5 + // Returns: JSON { key_id, public_key, algorithm } on success; ApiError on all failure paths 6 6 + 7 7 + use axum::{extract::State, http::HeaderMap, response::Json}; 8 8 + use serde::{Deserialize, Serialize}; 9 9 + 10 10 + use common::{ApiError, ErrorCode}; 11 11 + 12 12 + use crate::app::AppState; 13 13 + 14 14 + #[derive(Deserialize)] 15 15 + #[serde(rename_all = "camelCase")] 16 16 + pub struct CreateSigningKeyRequest { 17 17 + #[serde(default)] 18 18 + algorithm: Option<String>, 19 19 + } 20 20 + 21 21 + // Response uses camelCase per JSON API convention (keyId, publicKey). 22 22 + // The design document shows snake_case field names; this is a deliberate 23 23 + // deviation — camelCase is standard for JSON responses and matches ATProto conventions. 24 24 + #[derive(Serialize)] 25 25 + #[serde(rename_all = "camelCase")] 26 26 + pub struct CreateSigningKeyResponse { 27 27 + key_id: String, 28 28 + public_key: String, 29 29 + algorithm: String, 30 30 + } 31 31 + 32 32 + pub async fn create_signing_key( 33 33 + State(state): State<AppState>, 34 34 + headers: HeaderMap, 35 35 + Json(payload): Json<CreateSigningKeyRequest>, 36 36 + ) -> Result<Json<CreateSigningKeyResponse>, ApiError> { 37 37 + // --- Auth: require matching Bearer token --- 38 38 + // Check this first so unauthenticated callers cannot probe server configuration. 39 39 + let expected_token = state 40 40 + .config 41 41 + .admin_token 42 42 + .as_deref() 43 43 + .ok_or_else(|| ApiError::new(ErrorCode::Unauthorized, "admin token not configured"))?; 44 44 + 45 45 + let auth_value = headers 46 46 + .get(axum::http::header::AUTHORIZATION) 47 47 + .and_then(|v| v.to_str().ok()) 48 48 + .unwrap_or(""); 49 49 + 50 50 + let provided_token = auth_value.strip_prefix("Bearer ").ok_or_else(|| { 51 51 + ApiError::new( 52 52 + ErrorCode::Unauthorized, 53 53 + "missing or invalid Authorization header", 54 54 + ) 55 55 + })?; 56 56 + 57 57 + if provided_token != expected_token { 58 58 + return Err(ApiError::new( 59 59 + ErrorCode::Unauthorized, 60 60 + "invalid admin token", 61 61 + )); 62 62 + } 63 63 + 64 64 + // --- Algorithm: only p256 is supported --- 65 65 + match payload.algorithm.as_deref() { 66 66 + Some("p256") => {} 67 67 + _ => { 68 68 + return Err(ApiError::new( 69 69 + ErrorCode::InvalidClaim, 70 70 + "unsupported algorithm; expected \"p256\"", 71 71 + )) 72 72 + } 73 73 + } 74 74 + 75 75 + // --- Master key: return 503 if not configured --- 76 76 + let master_key: &[u8; 32] = state 77 77 + .config 78 78 + .signing_key_master_key 79 79 + .as_ref() 80 80 + .ok_or_else(|| { 81 81 + ApiError::new( 82 82 + ErrorCode::ServiceUnavailable, 83 83 + "signing key master key not configured", 84 84 + ) 85 85 + })?; 86 86 + 87 87 + // --- Generate P-256 keypair --- 88 88 + let keypair = crypto::generate_p256_keypair().map_err(|e| { 89 89 + tracing::error!(error = %e, "failed to generate P-256 keypair"); 90 90 + ApiError::new(ErrorCode::InternalError, "key generation failed") 91 91 + })?; 92 92 + 93 93 + // --- Encrypt private key with AES-256-GCM --- 94 94 + // private_key_bytes is Zeroizing<[u8; 32]>; deref coercion to &[u8; 32] applies. 95 95 + let private_key_encrypted = crypto::encrypt_private_key(&keypair.private_key_bytes, master_key) 96 96 + .map_err(|e| { 97 97 + tracing::error!(error = %e, "failed to encrypt private key"); 98 98 + ApiError::new(ErrorCode::InternalError, "key encryption failed") 99 99 + })?; 100 100 + 101 101 + // --- Persist to relay_signing_keys --- 102 102 + // created_at uses SQLite's datetime('now') to produce ISO 8601 UTC without a chrono dep. 103 103 + sqlx::query( 104 104 + "INSERT INTO relay_signing_keys \ 105 105 + (id, algorithm, public_key, private_key_encrypted, created_at) \ 106 106 + VALUES (?, ?, ?, ?, datetime('now'))", 107 107 + ) 108 108 + .bind(&keypair.key_id) 109 109 + .bind("p256") 110 110 + .bind(&keypair.public_key) 111 111 + .bind(&private_key_encrypted) 112 112 + .execute(&state.db) 113 113 + .await 114 114 + .map_err(|e| { 115 115 + tracing::error!(error = %e, "failed to insert relay signing key"); 116 116 + ApiError::new(ErrorCode::InternalError, "failed to store signing key") 117 117 + })?; 118 118 + 119 119 + Ok(Json(CreateSigningKeyResponse { 120 120 + key_id: keypair.key_id, 121 121 + public_key: keypair.public_key, 122 122 + algorithm: "p256".to_string(), 123 123 + })) 124 124 + } 125 125 + 126 126 + #[cfg(test)] 127 127 + mod tests { 128 128 + use std::sync::Arc; 129 129 + 130 130 + use axum::{ 131 131 + body::Body, 132 132 + http::{Request, StatusCode}, 133 133 + }; 134 134 + use tower::ServiceExt; 135 135 + 136 136 + use crate::app::{app, test_state, AppState}; 137 137 + 138 138 + /// Build an AppState with both admin_token and signing_key_master_key configured. 139 139 + async fn test_state_with_keys() -> AppState { 140 140 + let base = test_state().await; 141 141 + let mut config = (*base.config).clone(); 142 142 + config.admin_token = Some("test-admin-token".to_string()); 143 143 + config.signing_key_master_key = Some([ 144 144 + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 145 145 + 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 146 146 + 0x1d, 0x1e, 0x1f, 0x20, 147 147 + ]); 148 148 + AppState { 149 149 + config: Arc::new(config), 150 150 + db: base.db, 151 151 + } 152 152 + } 153 153 + 154 154 + /// Build a POST /v1/relay/keys request with JSON body and optional Bearer token. 155 155 + fn post_keys(body: &str, bearer: Option<&str>) -> Request<Body> { 156 156 + let mut builder = Request::builder() 157 157 + .method("POST") 158 158 + .uri("/v1/relay/keys") 159 159 + .header("Content-Type", "application/json"); 160 160 + if let Some(token) = bearer { 161 161 + builder = builder.header("Authorization", format!("Bearer {token}")); 162 162 + } 163 163 + builder.body(Body::from(body.to_string())).unwrap() 164 164 + } 165 165 + 166 166 + // --- Happy path --- 167 167 + 168 168 + #[tokio::test] 169 169 + async fn create_signing_key_returns_200_with_key_fields() { 170 170 + // MM-92.AC1.1 171 171 + let response = app(test_state_with_keys().await) 172 172 + .oneshot(post_keys( 173 173 + r#"{"algorithm": "p256"}"#, 174 174 + Some("test-admin-token"), 175 175 + )) 176 176 + .await 177 177 + .unwrap(); 178 178 + 179 179 + assert_eq!(response.status(), StatusCode::OK); 180 180 + let body = axum::body::to_bytes(response.into_body(), 4096) 181 181 + .await 182 182 + .unwrap(); 183 183 + let json: serde_json::Value = serde_json::from_slice(&body).unwrap(); 184 184 + assert!(json["keyId"].is_string(), "keyId must be present"); 185 185 + assert!(json["publicKey"].is_string(), "publicKey must be present"); 186 186 + assert_eq!(json["algorithm"], "p256"); // MM-92.AC1.4 187 187 + } 188 188 + 189 189 + #[tokio::test] 190 190 + async fn key_id_is_did_key_uri() { 191 191 + // MM-92.AC1.2 192 192 + let response = app(test_state_with_keys().await) 193 193 + .oneshot(post_keys( 194 194 + r#"{"algorithm": "p256"}"#, 195 195 + Some("test-admin-token"), 196 196 + )) 197 197 + .await 198 198 + .unwrap(); 199 199 + 200 200 + let body = axum::body::to_bytes(response.into_body(), 4096) 201 201 + .await 202 202 + .unwrap(); 203 203 + let json: serde_json::Value = serde_json::from_slice(&body).unwrap(); 204 204 + let key_id = json["keyId"].as_str().unwrap(); 205 205 + assert!( 206 206 + key_id.starts_with("did:key:z"), 207 207 + "keyId must start with did:key:z, got: {key_id}" 208 208 + ); 209 209 + } 210 210 + 211 211 + #[tokio::test] 212 212 + async fn public_key_is_multibase_base58btc() { 213 213 + // MM-92.AC1.3 214 214 + let response = app(test_state_with_keys().await) 215 215 + .oneshot(post_keys( 216 216 + r#"{"algorithm": "p256"}"#, 217 217 + Some("test-admin-token"), 218 218 + )) 219 219 + .await 220 220 + .unwrap(); 221 221 + 222 222 + let body = axum::body::to_bytes(response.into_body(), 4096) 223 223 + .await 224 224 + .unwrap(); 225 225 + let json: serde_json::Value = serde_json::from_slice(&body).unwrap(); 226 226 + let public_key = json["publicKey"].as_str().unwrap(); 227 227 + assert!( 228 228 + public_key.starts_with('z'), 229 229 + "publicKey must start with 'z' (multibase base58btc prefix), got: {public_key}" 230 230 + ); 231 231 + assert!( 232 232 + !public_key.starts_with("did:key:"), 233 233 + "publicKey must not include did:key: prefix" 234 234 + ); 235 235 + } 236 236 + 237 237 + #[tokio::test] 238 238 + async fn response_has_no_private_key_field() { 239 239 + // MM-92.AC2.1 240 240 + let response = app(test_state_with_keys().await) 241 241 + .oneshot(post_keys( 242 242 + r#"{"algorithm": "p256"}"#, 243 243 + Some("test-admin-token"), 244 244 + )) 245 245 + .await 246 246 + .unwrap(); 247 247 + 248 248 + let body = axum::body::to_bytes(response.into_body(), 4096) 249 249 + .await 250 250 + .unwrap(); 251 251 + let json: serde_json::Value = serde_json::from_slice(&body).unwrap(); 252 252 + assert!( 253 253 + json.get("privateKey").is_none(), 254 254 + "privateKey must not appear in response" 255 255 + ); 256 256 + assert!( 257 257 + json.get("private_key").is_none(), 258 258 + "private_key must not appear in response" 259 259 + ); 260 260 + } 261 261 + 262 262 + #[tokio::test] 263 263 + async fn row_persisted_in_db_with_encrypted_private_key() { 264 264 + // MM-92.AC1.5, MM-92.AC2.2 265 265 + let state = test_state_with_keys().await; 266 266 + let db = state.db.clone(); 267 267 + 268 268 + let response = app(state) 269 269 + .oneshot(post_keys( 270 270 + r#"{"algorithm": "p256"}"#, 271 271 + Some("test-admin-token"), 272 272 + )) 273 273 + .await 274 274 + .unwrap(); 275 275 + 276 276 + assert_eq!(response.status(), StatusCode::OK); 277 277 + let body = axum::body::to_bytes(response.into_body(), 4096) 278 278 + .await 279 279 + .unwrap(); 280 280 + let json: serde_json::Value = serde_json::from_slice(&body).unwrap(); 281 281 + let key_id = json["keyId"].as_str().unwrap(); 282 282 + 283 283 + // Verify the row exists and has the expected fields. 284 284 + let row: (String, String, String, String) = sqlx::query_as( 285 285 + "SELECT id, algorithm, public_key, private_key_encrypted \ 286 286 + FROM relay_signing_keys WHERE id = ?", 287 287 + ) 288 288 + .bind(key_id) 289 289 + .fetch_one(&db) 290 290 + .await 291 291 + .expect("row must exist in relay_signing_keys after successful creation"); 292 292 + 293 293 + assert_eq!(row.0, key_id, "db id must match response keyId"); 294 294 + assert_eq!(row.1, "p256", "db algorithm must be p256"); 295 295 + assert_eq!( 296 296 + row.2, 297 297 + json["publicKey"].as_str().unwrap(), 298 298 + "db public_key must match response publicKey" 299 299 + ); 300 300 + // base64(12-byte nonce || 32-byte ciphertext || 16-byte tag) = base64(60 bytes) = 80 chars 301 301 + assert_eq!( 302 302 + row.3.len(), 303 303 + 80, 304 304 + "private_key_encrypted must be 80 base64 chars (nonce 12 + ciphertext 32 + tag 16)" 305 305 + ); 306 306 + } 307 307 + 308 308 + // --- Auth tests --- 309 309 + 310 310 + #[tokio::test] 311 311 + async fn missing_authorization_header_returns_401() { 312 312 + // MM-92.AC4.1 313 313 + let response = app(test_state_with_keys().await) 314 314 + .oneshot(post_keys(r#"{"algorithm": "p256"}"#, None)) 315 315 + .await 316 316 + .unwrap(); 317 317 + assert_eq!(response.status(), StatusCode::UNAUTHORIZED); 318 318 + } 319 319 + 320 320 + #[tokio::test] 321 321 + async fn wrong_bearer_token_returns_401() { 322 322 + // MM-92.AC4.2 323 323 + let response = app(test_state_with_keys().await) 324 324 + .oneshot(post_keys(r#"{"algorithm": "p256"}"#, Some("wrong-token"))) 325 325 + .await 326 326 + .unwrap(); 327 327 + assert_eq!(response.status(), StatusCode::UNAUTHORIZED); 328 328 + } 329 329 + 330 330 + #[tokio::test] 331 331 + async fn bare_token_without_bearer_prefix_returns_401() { 332 332 + // MM-92.AC4.3: Authorization header present but "Bearer " prefix missing 333 333 + let request = Request::builder() 334 334 + .method("POST") 335 335 + .uri("/v1/relay/keys") 336 336 + .header("Content-Type", "application/json") 337 337 + .header("Authorization", "test-admin-token") // no "Bearer " prefix 338 338 + .body(Body::from(r#"{"algorithm": "p256"}"#)) 339 339 + .unwrap(); 340 340 + 341 341 + let response = app(test_state_with_keys().await) 342 342 + .oneshot(request) 343 343 + .await 344 344 + .unwrap(); 345 345 + assert_eq!(response.status(), StatusCode::UNAUTHORIZED); 346 346 + } 347 347 + 348 348 + // --- Algorithm tests --- 349 349 + 350 350 + #[tokio::test] 351 351 + async fn unsupported_algorithm_returns_400() { 352 352 + // MM-92.AC5.1 353 353 + let response = app(test_state_with_keys().await) 354 354 + .oneshot(post_keys( 355 355 + r#"{"algorithm": "k256"}"#, 356 356 + Some("test-admin-token"), 357 357 + )) 358 358 + .await 359 359 + .unwrap(); 360 360 + assert_eq!(response.status(), StatusCode::BAD_REQUEST); 361 361 + } 362 362 + 363 363 + #[tokio::test] 364 364 + async fn empty_algorithm_returns_400() { 365 365 + // MM-92.AC5.2 366 366 + let response = app(test_state_with_keys().await) 367 367 + .oneshot(post_keys(r#"{"algorithm": ""}"#, Some("test-admin-token"))) 368 368 + .await 369 369 + .unwrap(); 370 370 + assert_eq!(response.status(), StatusCode::BAD_REQUEST); 371 371 + } 372 372 + 373 373 + #[tokio::test] 374 374 + async fn missing_algorithm_field_returns_400() { 375 375 + // MM-92.AC5.3: empty JSON body — algorithm field absent, defaults to None → 400 376 376 + let response = app(test_state_with_keys().await) 377 377 + .oneshot(post_keys(r#"{}"#, Some("test-admin-token"))) 378 378 + .await 379 379 + .unwrap(); 380 380 + assert_eq!(response.status(), StatusCode::BAD_REQUEST); 381 381 + } 382 382 + 383 383 + // --- Master key test --- 384 384 + 385 385 + #[tokio::test] 386 386 + async fn missing_master_key_returns_503() { 387 387 + // MM-92.AC6.1: valid Bearer token, but signing_key_master_key not configured → 503 388 388 + let base = test_state().await; 389 389 + let mut config = (*base.config).clone(); 390 390 + config.admin_token = Some("test-admin-token".to_string()); 391 391 + // signing_key_master_key intentionally left as None 392 392 + let state = AppState { 393 393 + config: Arc::new(config), 394 394 + db: base.db, 395 395 + }; 396 396 + 397 397 + let response = app(state) 398 398 + .oneshot(post_keys( 399 399 + r#"{"algorithm": "p256"}"#, 400 400 + Some("test-admin-token"), 401 401 + )) 402 402 + .await 403 403 + .unwrap(); 404 404 + assert_eq!(response.status(), StatusCode::SERVICE_UNAVAILABLE); 405 405 + } 406 406 + 407 407 + #[tokio::test] 408 408 + async fn admin_token_not_configured_returns_401() { 409 409 + // Operator has not set EZPDS_ADMIN_TOKEN; any request to the endpoint returns 401. 410 410 + // test_state() leaves admin_token as None by default. 411 411 + let response = app(test_state().await) 412 412 + .oneshot(post_keys(r#"{"algorithm": "p256"}"#, Some("any-token"))) 413 413 + .await 414 414 + .unwrap(); 415 415 + assert_eq!(response.status(), StatusCode::UNAUTHORIZED); 416 416 + } 417 417 + }

+1

crates/relay/src/routes/mod.rs

··· 1 1 + pub mod create_signing_key; 1 2 pub mod describe_server; 2 3 pub mod health;