julien/remanso-jetstream
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: authenticate DELETE endpoint with AT Protocol identity

Browse Source 
Verify the caller owns the DID by resolving their PDS via plc.directory
and validating the session token before allowing note deletion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Julien Calixte
2026-02-14 20:38:40 +01:00
parent 51ea8a8f17
commit a7a90ea075
2 changed files with 66 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
server.ts
View File

@@ -1,5 +1,6 @@
import { Application, Router } from "@oak/oak"; import { Application, Router } from "@oak/oak";
import { deleteNote, getNotes, getNotesByDid } from "./src/data/db.ts"; import { deleteNote, getNotes, getNotesByDid } from "./src/data/db.ts";
import { authenticateRequest } from "./src/auth/verify.ts";
const router = new Router(); const router = new Router();
@@ -20,8 +21,23 @@ router.get("/:did/notes", (ctx) => {
ctx.response.body = getNotesByDid(did, cursor, limit); ctx.response.body = getNotesByDid(did, cursor, limit);
}); });
router.delete("/:did/:rkey", (ctx) => { router.delete("/:did/:rkey", async (ctx) => {
const { did, rkey } = ctx.params; const { did, rkey } = ctx.params;
let verifiedDid: string;
try {
verifiedDid = await authenticateRequest(
ctx.request.headers.get("Authorization"),
);
} catch {
ctx.response.status = 401;
ctx.response.body = { error: "Unauthorized" };
return;
}
if (verifiedDid !== did) {
ctx.response.status = 403;
ctx.response.body = { error: "You can only delete your own notes" };
return;
}
deleteNote({ did, rkey }); deleteNote({ did, rkey });
ctx.response.status = 204; ctx.response.status = 204;
}) })

49
src/auth/verify.ts Normal file
View File

@@ -0,0 +1,49 @@
interface JwtPayload {
sub: string;
[key: string]: unknown;
}
interface DidDocument {
service?: { id: string; serviceEndpoint: string }[];
}
function decodeJwtPayload(token: string): JwtPayload {
const parts = token.split(".");
if (parts.length !== 3) throw new Error("Invalid JWT format");
const payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
return JSON.parse(atob(payload));
}
async function resolvePds(did: string): Promise<string> {
const res = await fetch(`https://plc.directory/${did}`);
if (!res.ok) throw new Error(`Failed to resolve DID: ${res.status}`);
const doc: DidDocument = await res.json();
const pds = doc.service?.find((s) => s.id === "#atproto_pds");
if (!pds) throw new Error("No PDS service found in DID document");
return pds.serviceEndpoint;
}
async function verifySession(
pdsUrl: string,
token: string,
): Promise<string> {
const res = await fetch(
`${pdsUrl}/xrpc/com.atproto.server.getSession`,
{ headers: { Authorization: `Bearer ${token}` } },
);
if (!res.ok) throw new Error(`Session verification failed: ${res.status}`);
const session: { did: string } = await res.json();
return session.did;
}
export async function authenticateRequest(
authHeader: string | null,
): Promise<string> {
if (!authHeader?.startsWith("Bearer ")) {
throw new Error("Missing or invalid Authorization header");
}
const token = authHeader.slice(7);
const { sub } = decodeJwtPayload(token);
const pdsUrl = await resolvePds(sub);
return await verifySession(pdsUrl, token);
}