feat: authenticate DELETE endpoint with AT Protocol identity

Verify the caller owns the DID by resolving their PDS via plc.directory
and validating the session token before allowing note deletion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/auth/verify.ts

@@ -0,0 +1,49 @@
+interface JwtPayload {
+  sub: string;
+  [key: string]: unknown;
+}
+
+interface DidDocument {
+  service?: { id: string; serviceEndpoint: string }[];
+}
+
+function decodeJwtPayload(token: string): JwtPayload {
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new Error("Invalid JWT format");
+  const payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+  return JSON.parse(atob(payload));
+}
+
+async function resolvePds(did: string): Promise<string> {
+  const res = await fetch(`https://plc.directory/${did}`);
+  if (!res.ok) throw new Error(`Failed to resolve DID: ${res.status}`);
+  const doc: DidDocument = await res.json();
+  const pds = doc.service?.find((s) => s.id === "#atproto_pds");
+  if (!pds) throw new Error("No PDS service found in DID document");
+  return pds.serviceEndpoint;
+}
+
+async function verifySession(
+  pdsUrl: string,
+  token: string,
+): Promise<string> {
+  const res = await fetch(
+    `${pdsUrl}/xrpc/com.atproto.server.getSession`,
+    { headers: { Authorization: `Bearer ${token}` } },
+  );
+  if (!res.ok) throw new Error(`Session verification failed: ${res.status}`);
+  const session: { did: string } = await res.json();
+  return session.did;
+}
+
+export async function authenticateRequest(
+  authHeader: string | null,
+): Promise<string> {
+  if (!authHeader?.startsWith("Bearer ")) {
+    throw new Error("Missing or invalid Authorization header");
+  }
+  const token = authHeader.slice(7);
+  const { sub } = decodeJwtPayload(token);
+  const pdsUrl = await resolvePds(sub);
+  return await verifySession(pdsUrl, token);
+}