refactor(scripts): auto-resolve PDS from handle, drop BSKY_PDS

Inputs are now just ATPROTO_HANDLE, ATPROTO_APP_PASSWORD, REMANSO_API (or matching --handle, --app-password, --api). The script resolves the handle to a DID via public.api.bsky.app, then resolves the DID to a PDS via plc.directory — same path the server's verifier uses. Works for any AT Protocol PDS (Bluesky, eurosky, self-hosted) without the caller having to know the PDS URL.
2026-05-05 12:36:22 +02:00
parent e0fe4ce16f
commit a3c92254ea
1 changed files with 55 additions and 29 deletions
--- a/scripts/manage-webhooks.ts
+++ b/scripts/manage-webhooks.ts
@@ -1,21 +1,14 @@
-// Manage webhook subscriptions on the Remanso API using a Bluesky session
+// Manage webhook subscriptions on the Remanso API. Resolves your PDS from
-// token from your own PDS. Usage:
+// your AT Protocol handle, logs in with an app password, then registers or
 // deletes webhooks against the Remanso API.
 //
 //   deno task webhooks register --url https://your-receiver --verb bulk-create
 //   deno task webhooks delete-all
 //
-// Required env vars (or matching --flags):
+// Inputs (env or flag, env preferred):
-//   BSKY_IDENTIFIER  your handle (e.g. alice.eurosky.social) or email
+//   ATPROTO_HANDLE        / --handle        e.g. alice.eurosky.social
-//   BSKY_PASSWORD    app password (NOT your main password)
+//   ATPROTO_APP_PASSWORD  / --app-password  app password (NOT your account password)
-//   BSKY_PDS         your PDS base URL (default: https://bsky.social)
+//   REMANSO_API           / --api           default: https://api.remanso.space
 //   REMANSO_API      Remanso API base URL (default: https://api.remanso.space)
 //
 // Example for an eurosky-hosted account:
 //
 //   BSKY_IDENTIFIER=alice.eurosky.social \
 //   BSKY_PASSWORD='xxxx-xxxx-xxxx-xxxx' \
 //   BSKY_PDS=https://eurosky.social \
 //   deno task webhooks register --url https://example.com/hook --verb bulk-create
 const HELP = `
 Usage:
@@ -27,17 +20,19 @@ Usage:
  deno task webhooks delete-all
-Auth (env or flag, env preferred):
+Inputs (env or flag, env preferred):
-  BSKY_IDENTIFIER / --identifier
+  ATPROTO_HANDLE        / --handle        your AT Protocol handle
-  BSKY_PASSWORD   / --password
+  ATPROTO_APP_PASSWORD  / --app-password  app password (NOT your account password)
-  BSKY_PDS        / --pds       (default: https://bsky.social)
+  REMANSO_API           / --api           default: https://api.remanso.space
-  REMANSO_API     / --api       (default: https://api.remanso.space)
+
 Your PDS is resolved automatically from the handle.
 `;
-type CreateSessionResponse = {
+type ResolveHandleResponse = { did: string };
-  did: string;
+type DidDocument = {
-  accessJwt: string;
+  service?: { id: string; serviceEndpoint: string }[];
 };
 type CreateSessionResponse = { did: string; accessJwt: string };
 const parseArgs = (args: string[]): Record<string, string> => {
  const out: Record<string, string> = {};
@@ -62,6 +57,35 @@ const die = (msg: string): never => {
  Deno.exit(1);
 };
 const resolveHandleToDid = async (handle: string): Promise<string> => {
  const url =
    `https://public.api.bsky.app/xrpc/com.atproto.identity.resolveHandle?handle=${
      encodeURIComponent(handle)
    }`;
  const res = await fetch(url);
  if (!res.ok) {
    throw new Error(
      `resolveHandle failed for ${handle} (${res.status}): ${await res.text()}`,
    );
  }
  const { did } = await res.json() as ResolveHandleResponse;
  return did;
 };
 const resolveDidToPds = async (did: string): Promise<string> => {
  if (!did.startsWith("did:plc:")) {
    throw new Error(`Unsupported DID method (server only handles did:plc): ${did}`);
  }
  const res = await fetch(`https://plc.directory/${did}`);
  if (!res.ok) {
    throw new Error(`plc.directory lookup failed (${res.status})`);
  }
  const doc = await res.json() as DidDocument;
  const pds = doc.service?.find((s) => s.id === "#atproto_pds");
  if (!pds) throw new Error("No #atproto_pds service in DID document");
  return pds.serviceEndpoint;
 };
 const createSession = async (
  pds: string,
  identifier: string,
@@ -88,17 +112,19 @@ const main = async () => {
  }
  const flags = parseArgs(rest);
-  const identifier = flags.identifier ?? Deno.env.get("BSKY_IDENTIFIER");
+  const handle = flags.handle ?? Deno.env.get("ATPROTO_HANDLE");
-  const password = flags.password ?? Deno.env.get("BSKY_PASSWORD");
+  const password = flags["app-password"] ??
-  const pds = flags.pds ?? Deno.env.get("BSKY_PDS") ?? "https://bsky.social";
+    Deno.env.get("ATPROTO_APP_PASSWORD");
  const api = flags.api ?? Deno.env.get("REMANSO_API") ??
    "https://api.remanso.space";
-  if (!identifier) die("BSKY_IDENTIFIER (or --identifier) is required");
+  if (!handle) die("ATPROTO_HANDLE (or --handle) is required");
-  if (!password) die("BSKY_PASSWORD (or --password) is required");
+  if (!password) die("ATPROTO_APP_PASSWORD (or --app-password) is required");
-  const session = await createSession(pds, identifier, password);
+  const did = await resolveHandleToDid(handle);
-  console.log(`[auth] verified DID: ${session.did} via ${pds}`);
+  const pds = await resolveDidToPds(did);
  console.log(`[resolve] ${handle} → ${did} via ${pds}`);
  const session = await createSession(pds, handle, password);
  if (command === "register") {
    const url = flags.url ?? die("--url is required for register");