julien/remanso-jetstream
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: authenticate DELETE endpoint with AT Protocol identity

Browse Source 
Verify the caller owns the DID by resolving their PDS via plc.directory
and validating the session token before allowing note deletion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Julien Calixte
2026-02-14 20:38:40 +01:00
parent 51ea8a8f17
commit a7a90ea075
2 changed files with 66 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
server.ts
View File

@@ -1,5 +1,6 @@
import { Application, Router } from "@oak/oak";
import { deleteNote, getNotes, getNotesByDid } from "./src/data/db.ts";
import { authenticateRequest } from "./src/auth/verify.ts";
const router = new Router();
@@ -20,8 +21,23 @@ router.get("/:did/notes", (ctx) => {
ctx.response.body = getNotesByDid(did, cursor, limit);
});
router.delete("/:did/:rkey", (ctx) => {
router.delete("/:did/:rkey", async (ctx) => {
const { did, rkey } = ctx.params;
let verifiedDid: string;
try {
verifiedDid = await authenticateRequest(
ctx.request.headers.get("Authorization"),
);
} catch {
ctx.response.status = 401;
ctx.response.body = { error: "Unauthorized" };
return;
}
if (verifiedDid !== did) {
ctx.response.status = 403;
ctx.response.body = { error: "You can only delete your own notes" };
return;
}
deleteNote({ did, rkey });
ctx.response.status = 204;
})