+6 -2

CHANGELOG.md

reviewed

··· 26 26 ``` 27 27 28 28 - `Atex.Config.IdentityResolver` has been renamed to `Atex.Config`. 29 29 - - `Atex.IdentityResolver.DIDDocument` has been renamed to `Atex.PLC.DIDDocument`. 29 29 + - `Atex.IdentityResolver.DIDDocument` has been renamed to `Atex.DID.Document`. 30 30 + - Replace existing `Atex.DID.Document.new/1` method with the method previously named `from_json/1`. 30 31 31 32 ### Added 32 33 34 34 + - `Atex.Crypto` module for performing AT Protocol-related cryptographic operations. 33 35 - `Atex.PLC` module for interacting with [a did:plc directory API](https://web.plc.directory/). 34 36 - `Atex.ServiceAuth` module for validating [inter-service authentication tokens](https://atproto.com/specs/xrpc#inter-service-authentication-jwt). 37 37 + - Various improvements to `Atex.Did.Document` 38 38 + - Add `Atex.DID.Document.Service` and `Atex.DID.Document.VerificationMethod` sub-structs. 39 39 + - Add `to_json/1` methods and `JSON.Encoder` protocols for easy conversion to camelCase JSON. 35 40 36 41 ### Fixed 37 42 38 43 - Fix a problem where generated `%<LexiconId>.Params` structs could not be 39 44 passed to an XRPC call due to not having the Enumerable protocol implemented. 40 40 - - Add `Atex.Crypto` module for performing AT Protocol-related cryptographic operations. 41 45 42 46 ## [0.7.1] - 2026-02-06 43 47

+16 -15

examples/service_auth.ex

reviewed

··· 5 5 plug :match 6 6 plug :dispatch 7 7 8 8 - @did_doc JSON.encode!(%{ 9 9 - "@context" => [ 8 8 + @did_doc %Atex.DID.Document{ 9 9 + "@context": [ 10 10 "https://www.w3.org/ns/did/v1", 11 11 "https://w3id.org/security/multikey/v1" 12 12 ], 13 13 - "id" => "did:web:setsuna.prawn-galaxy.ts.net", 14 14 - "verificationMethod" => [ 15 15 - %{ 16 16 - "id" => "did:web:setsuna.prawn-galaxy.ts.net#atproto", 17 17 - "type" => "Multikey", 18 18 - "controller" => "did:web:setsuna.prawn-galaxy.ts.net", 19 19 - "publicKeyMultibase" => "zDnaeRBG9swcjKP6GjjQF7kqxP6JaJaVbvjTjJ1YbXnKWWLna" 13 13 + id: "did:web:setsuna.prawn-galaxy.ts.net", 14 14 + verification_method: [ 15 15 + %Atex.DID.Document.VerificationMethod{ 16 16 + id: "did:web:setsuna.prawn-galaxy.ts.net#atproto", 17 17 + type: "Multikey", 18 18 + controller: "did:web:setsuna.prawn-galaxy.ts.net", 19 19 + public_key_jwk: Atex.Config.OAuth.get_key() 20 20 } 21 21 ], 22 22 - "service" => [ 23 23 - %{ 24 24 - "id" => "atex_test", 25 25 - "type" => "AtexTest", 26 26 - "serviceEndpoint" => "https://setsuna.prawn-galaxy.ts.net" 22 22 + service: [ 23 23 + %Atex.DID.Document.Service{ 24 24 + id: "atex_test", 25 25 + type: "AtexTest", 26 26 + service_endpoint: "https://setsuna.prawn-galaxy.ts.net" 27 27 } 28 28 ] 29 29 - }) 29 29 + } 30 30 + |> JSON.encode!() 30 31 31 32 get "/.well-known/did.json" do 32 33 Logger.info("got did json")

+1 -1

lib/atex/config.ex

reviewed

··· 9 9 config :atex, 10 10 plc_directory_url: "https://plc.directory" 11 11 12 12 - - `:plc_directory_url` — Base URL for the did:plc directory server. 12 12 + - `:plc_directory_url` - Base URL for the did:plc directory server. 13 13 Defaults to `"https://plc.directory"`. 14 14 """ 15 15

+56 -1

lib/atex/crypto.ex

reviewed

··· 98 98 99 99 ## Options 100 100 101 101 - - `:as_did_key` — when `true`, prepends the `did:key:` URI scheme to the 101 101 + - `:as_did_key` - when `true`, prepends the `did:key:` URI scheme to the 102 102 returned string. Defaults to `false`. 103 103 104 104 ## Examples ··· 201 201 _ -> {:error, :sign_failed} 202 202 end 203 203 204 204 + @doc """ 205 205 + Decodes a legacy (pre-`Multikey`) atproto verification method public key into a `JOSE.JWK`. 206 206 + 207 207 + Legacy `verificationMethod` entries encode the public key as an **uncompressed** EC point 208 208 + (65 bytes: `0x04 || x || y`) in base58btc multibase, without any multicodec prefix. The 209 209 + curve is identified by the `type` field of the verification method rather than a multicodec 210 210 + byte. 211 211 + 212 212 + Accepted `type` values: 213 213 + 214 214 + - `"EcdsaSecp256r1VerificationKey2019"` - P-256 / secp256r1 215 215 + - `"EcdsaSecp256k1VerificationKey2019"` - secp256k1 216 216 + 217 217 + ## Examples 218 218 + 219 219 + iex> {:ok, jwk} = Atex.Crypto.decode_legacy_multibase( 220 220 + ...> "EcdsaSecp256k1VerificationKey2019", 221 221 + ...> "zQYEBzXeuTM9UR3rfvNag6L3RNAs5pQZyYPsomTsgQhsxLdEgCrPTLgFna8yqCnxPpNT7DBk6Ym3dgPKNu86vt9GR" 222 222 + ...> ) 223 223 + iex> match?(%JOSE.JWK{}, jwk) 224 224 + true 225 225 + 226 226 + iex> Atex.Crypto.decode_legacy_multibase("UnknownType", "zQYEBzXeuTM") 227 227 + {:error, :unsupported_curve} 228 228 + """ 229 229 + @spec decode_legacy_multibase(type :: String.t(), multibase :: String.t()) :: 230 230 + {:ok, JOSE.JWK.t()} | {:error, term()} 231 231 + def decode_legacy_multibase(type, multibase) when is_binary(type) and is_binary(multibase) do 232 232 + with {:ok, crv} <- legacy_crv_for_type(type), 233 233 + {:ok, raw} <- multibase_decode(multibase), 234 234 + {:ok, x_bytes, y_bytes} <- split_uncompressed_point(raw) do 235 235 + jwk = 236 236 + JOSE.JWK.from_map(%{ 237 237 + "kty" => "EC", 238 238 + "crv" => crv, 239 239 + "x" => Base.url_encode64(x_bytes, padding: false), 240 240 + "y" => Base.url_encode64(y_bytes, padding: false) 241 241 + }) 242 242 + 243 243 + {:ok, jwk} 244 244 + end 245 245 + end 246 246 + 204 247 def generate_p256() do 205 248 JOSE.JWK.generate_key({:ec, "P-256"}) 206 249 end ··· 210 253 end 211 254 212 255 # Private helpers 256 256 + 257 257 + @spec legacy_crv_for_type(String.t()) :: {:ok, String.t()} | {:error, :unsupported_curve} 258 258 + defp legacy_crv_for_type("EcdsaSecp256r1VerificationKey2019"), do: {:ok, "P-256"} 259 259 + defp legacy_crv_for_type("EcdsaSecp256k1VerificationKey2019"), do: {:ok, "secp256k1"} 260 260 + defp legacy_crv_for_type(_), do: {:error, :unsupported_curve} 261 261 + 262 262 + @spec split_uncompressed_point(binary()) :: 263 263 + {:ok, binary(), binary()} | {:error, :invalid_point} 264 264 + defp split_uncompressed_point(<<0x04, x::binary-size(32), y::binary-size(32)>>), 265 265 + do: {:ok, x, y} 266 266 + 267 267 + defp split_uncompressed_point(_), do: {:error, :invalid_point} 213 268 214 269 @spec strip_did_key_prefix(String.t()) :: String.t() 215 270 defp strip_did_key_prefix("did:key:" <> rest), do: rest

+321

lib/atex/did/document.ex

reviewed

··· 1 1 + defmodule Atex.DID.Document do 2 2 + @moduledoc """ 3 3 + Struct and schema for a [DID document](https://github.com/w3c/did-wg/blob/main/did-explainer.md#did-documents). 4 4 + 5 5 + Covers the subset of DID document fields used by AT Protocol, including support for 6 6 + parsing the `verificationMethod` and `service` arrays into typed sub-structs. 7 7 + 8 8 + ## Sub-structs 9 9 + 10 10 + - `Atex.DID.Document.VerificationMethod` - typed representation of a public key entry, 11 11 + with normalised `JOSE.JWK` storage regardless of wire encoding. 12 12 + - `Atex.DID.Document.Service` - typed representation of a service endpoint entry. 13 13 + 14 14 + ## Parsing 15 15 + 16 16 + Use `new/1` to parse a raw map (as returned by a DID resolution response). 17 17 + The function accepts camelCase keys as returned by the wire protocol, validates the 18 18 + document structure via Peri, and converts public keys into `JOSE.JWK` structs. 19 19 + 20 20 + ## Serialisation 21 21 + 22 22 + Use `to_json/1` to produce a camelCase map suitable for JSON encoding. Public keys are 23 23 + always emitted in the canonical `Multikey` / `publicKeyMultibase` format, regardless of 24 24 + the format used when the document was originally parsed. 25 25 + 26 26 + ## ATProto-specific helpers 27 27 + 28 28 + - `validate_for_atproto/2` - checks the document meets minimum atproto requirements. 29 29 + - `get_atproto_handle/1` - extracts the claimed AT Protocol handle. 30 30 + - `get_pds_endpoint/1` - extracts the PDS service endpoint URL. 31 31 + - `get_atproto_signing_key/1` - extracts the atproto signing key as a `JOSE.JWK`. 32 32 + """ 33 33 + import Peri 34 34 + use TypedStruct 35 35 + 36 36 + alias Atex.DID.Document.{Service, VerificationMethod} 37 37 + 38 38 + defschema :schema, %{ 39 39 + "@context": {:required, {:list, Atex.Peri.uri()}}, 40 40 + id: {:required, :string}, 41 41 + controller: {:either, {Atex.Peri.did(), {:list, Atex.Peri.did()}}}, 42 42 + also_known_as: {:list, Atex.Peri.uri()}, 43 43 + verification_method: {:list, :map}, 44 44 + authentication: {:list, {:either, {Atex.Peri.uri(), :map}}}, 45 45 + service: {:list, :map} 46 46 + } 47 47 + 48 48 + typedstruct do 49 49 + field :"@context", list(String.t()), enforce: true 50 50 + field :id, String.t(), enforce: true 51 51 + field :controller, String.t() | list(String.t()) 52 52 + field :also_known_as, list(String.t()) 53 53 + field :verification_method, list(VerificationMethod.t()) 54 54 + field :authentication, list(String.t() | VerificationMethod.t()) 55 55 + field :service, list(Service.t()) 56 56 + end 57 57 + 58 58 + @doc """ 59 59 + Parses and validates a raw DID document map into a typed `t()` struct. 60 60 + 61 61 + Accepts the camelCase wire format as returned by DID resolution endpoints. 62 62 + `verificationMethod` and `service` entries are parsed into their respective sub-structs. 63 63 + Public keys are normalised to `JOSE.JWK` regardless of the wire encoding used. 64 64 + 65 65 + Returns `{:ok, t()}` on success, or `{:error, Peri.Error.t()}` on validation failure. 66 66 + 67 67 + ## Examples 68 68 + 69 69 + iex> Atex.DID.Document.new(%{ 70 70 + ...> "@context" => ["https://www.w3.org/ns/did/v1"], 71 71 + ...> "id" => "did:plc:abc123", 72 72 + ...> "verificationMethod" => [], 73 73 + ...> "service" => [] 74 74 + ...> }) 75 75 + {:ok, %Atex.DID.Document{id: "did:plc:abc123", ...}} 76 76 + """ 77 77 + @spec new(map()) :: {:ok, t()} | {:error, Peri.Error.t()} 78 78 + def new(%{} = map) do 79 79 + map 80 80 + |> Recase.Enumerable.convert_keys(&Recase.to_snake/1) 81 81 + |> schema() 82 82 + |> case do 83 83 + {:ok, params} -> 84 84 + verification_methods = 85 85 + params 86 86 + |> Map.get(:verification_method, []) 87 87 + |> Enum.map(&parse_verification_method/1) 88 88 + |> Enum.reject(&is_nil/1) 89 89 + 90 90 + services = 91 91 + params 92 92 + |> Map.get(:service, []) 93 93 + |> Enum.map(&parse_service/1) 94 94 + |> Enum.reject(&is_nil/1) 95 95 + 96 96 + authentication = 97 97 + params 98 98 + |> Map.get(:authentication, []) 99 99 + |> Enum.map(&parse_authentication_entry/1) 100 100 + |> Enum.reject(&is_nil/1) 101 101 + 102 102 + doc = 103 103 + struct( 104 104 + __MODULE__, 105 105 + params 106 106 + |> Map.put(:verification_method, verification_methods) 107 107 + |> Map.put(:service, services) 108 108 + |> Map.put(:authentication, authentication) 109 109 + ) 110 110 + 111 111 + {:ok, doc} 112 112 + 113 113 + e -> 114 114 + e 115 115 + end 116 116 + end 117 117 + 118 118 + @doc """ 119 119 + Serialises a `t()` struct to a camelCase map suitable for JSON encoding. 120 120 + 121 121 + Public keys in `verificationMethod` are always emitted in the canonical `Multikey` 122 122 + format with `publicKeyMultibase`. 123 123 + 124 124 + ## Examples 125 125 + 126 126 + iex> {:ok, doc} = Atex.DID.Document.new(%{ 127 127 + ...> "@context" => ["https://www.w3.org/ns/did/v1"], 128 128 + ...> "id" => "did:plc:abc123" 129 129 + ...> }) 130 130 + iex> json = Atex.DID.Document.to_json(doc) 131 131 + iex> json["id"] 132 132 + "did:plc:abc123" 133 133 + """ 134 134 + @spec to_json(t()) :: map() 135 135 + def to_json(%__MODULE__{} = doc) do 136 136 + base = %{ 137 137 + "@context" => Map.get(doc, :"@context"), 138 138 + "id" => doc.id 139 139 + } 140 140 + 141 141 + base 142 142 + |> maybe_put("controller", doc.controller) 143 143 + |> maybe_put("alsoKnownAs", doc.also_known_as) 144 144 + |> maybe_put( 145 145 + "verificationMethod", 146 146 + doc.verification_method && Enum.map(doc.verification_method, &VerificationMethod.to_json/1) 147 147 + ) 148 148 + |> maybe_put( 149 149 + "authentication", 150 150 + doc.authentication && Enum.map(doc.authentication, &serialise_authentication_entry/1) 151 151 + ) 152 152 + |> maybe_put( 153 153 + "service", 154 154 + doc.service && Enum.map(doc.service, &Service.to_json/1) 155 155 + ) 156 156 + end 157 157 + 158 158 + @doc """ 159 159 + Validates that a DID document meets the minimum requirements for AT Protocol. 160 160 + 161 161 + Checks: 162 162 + 163 163 + - The document `id` matches the expected DID. 164 164 + - A valid atproto signing key exists (`verificationMethod` entry with id ending `#atproto` 165 165 + and `controller` matching the DID). 166 166 + - A valid PDS service entry exists (`service` entry with id ending `#atproto_pds`, type 167 167 + `"AtprotoPersonalDataServer"`, and a valid HTTPS or HTTP endpoint URL). 168 168 + 169 169 + Returns `:ok` or one of `{:error, :id_mismatch}`, `{:error, :no_signing_key}`, 170 170 + `{:error, :invalid_pds}`. 171 171 + """ 172 172 + @spec validate_for_atproto(t(), String.t()) :: 173 173 + :ok | {:error, :id_mismatch | :no_signing_key | :invalid_pds} 174 174 + def validate_for_atproto(%__MODULE__{} = doc, did) do 175 175 + id_matches = doc.id == did 176 176 + 177 177 + valid_signing_key = 178 178 + Enum.any?(doc.verification_method || [], fn method -> 179 179 + String.ends_with?(method.id, "#atproto") and method.controller == did 180 180 + end) 181 181 + 182 182 + valid_pds_service = 183 183 + Enum.any?(doc.service || [], fn service -> 184 184 + String.ends_with?(service.id, "#atproto_pds") and 185 185 + service.type == "AtprotoPersonalDataServer" and 186 186 + valid_pds_endpoint?(service.service_endpoint) 187 187 + end) 188 188 + 189 189 + case {id_matches, valid_signing_key, valid_pds_service} do 190 190 + {true, true, true} -> :ok 191 191 + {false, _, _} -> {:error, :id_mismatch} 192 192 + {_, false, _} -> {:error, :no_signing_key} 193 193 + {_, _, false} -> {:error, :invalid_pds} 194 194 + end 195 195 + end 196 196 + 197 197 + @doc """ 198 198 + Returns the AT Protocol handle claimed by this DID document, or `nil` if none is present. 199 199 + 200 200 + The handle is found in the `alsoKnownAs` array as a URI with the `at://` scheme followed 201 201 + by the handle hostname. Per the atproto specification, only the first syntactically valid 202 202 + handle in the list is returned. 203 203 + 204 204 + > #### Note {: .info} 205 205 + > 206 206 + > A handle returned here is only a claim. To confirm it, validate bidirectionally by 207 207 + > resolving the handle to a DID and checking it matches. See 208 208 + > `Atex.IdentityResolver.Handle.resolve/2`. 209 209 + """ 210 210 + @spec get_atproto_handle(t()) :: String.t() | nil 211 211 + def get_atproto_handle(%__MODULE__{also_known_as: nil}), do: nil 212 212 + 213 213 + def get_atproto_handle(%__MODULE__{} = doc) do 214 214 + Enum.find_value(doc.also_known_as, fn 215 215 + "at://" <> handle -> handle 216 216 + _ -> nil 217 217 + end) 218 218 + end 219 219 + 220 220 + @doc """ 221 221 + Returns the PDS service endpoint URL from the DID document, or `nil` if not found. 222 222 + 223 223 + Looks for a `service` entry with id ending `#atproto_pds` and type 224 224 + `"AtprotoPersonalDataServer"`. 225 225 + """ 226 226 + @spec get_pds_endpoint(t()) :: String.t() | nil 227 227 + def get_pds_endpoint(%__MODULE__{} = doc) do 228 228 + (doc.service || []) 229 229 + |> Enum.find(fn 230 230 + %Service{id: id, type: "AtprotoPersonalDataServer"} -> 231 231 + String.ends_with?(id, "#atproto_pds") 232 232 + 233 233 + _ -> 234 234 + false 235 235 + end) 236 236 + |> case do 237 237 + nil -> nil 238 238 + pds -> pds.service_endpoint 239 239 + end 240 240 + end 241 241 + 242 242 + @doc """ 243 243 + Returns the atproto signing key from the DID document as a `JOSE.JWK`, or `nil`. 244 244 + 245 245 + Finds the first `verificationMethod` entry whose id ends with `#atproto`. The public key 246 246 + is returned as a `JOSE.JWK` struct directly, since key decoding (including legacy formats) 247 247 + is performed at parse time in `new/1`. 248 248 + """ 249 249 + @spec get_atproto_signing_key(t()) :: JOSE.JWK.t() | nil 250 250 + def get_atproto_signing_key(%__MODULE__{} = doc) do 251 251 + (doc.verification_method || []) 252 252 + |> Enum.find(fn %VerificationMethod{id: id} -> String.ends_with?(id, "#atproto") end) 253 253 + |> case do 254 254 + nil -> nil 255 255 + method -> method.public_key_jwk 256 256 + end 257 257 + end 258 258 + 259 259 + # Parse a raw verification method map, returning nil on failure. 260 260 + @spec parse_verification_method(map()) :: VerificationMethod.t() | nil 261 261 + defp parse_verification_method(raw) do 262 262 + case VerificationMethod.new(raw) do 263 263 + {:ok, vm} -> vm 264 264 + _ -> nil 265 265 + end 266 266 + end 267 267 + 268 268 + # Parse a raw service map, returning nil on failure. 269 269 + @spec parse_service(map()) :: Service.t() | nil 270 270 + defp parse_service(raw) do 271 271 + case Service.new(raw) do 272 272 + {:ok, svc} -> svc 273 273 + _ -> nil 274 274 + end 275 275 + end 276 276 + 277 277 + # Authentication entries can be either a URI string or a verification method map. 278 278 + @spec parse_authentication_entry(String.t() | map()) :: 279 279 + String.t() | VerificationMethod.t() | nil 280 280 + defp parse_authentication_entry(entry) when is_binary(entry), do: entry 281 281 + 282 282 + defp parse_authentication_entry(entry) when is_map(entry) do 283 283 + parse_verification_method(entry) 284 284 + end 285 285 + 286 286 + defp parse_authentication_entry(_), do: nil 287 287 + 288 288 + @spec serialise_authentication_entry(String.t() | VerificationMethod.t()) :: String.t() | map() 289 289 + defp serialise_authentication_entry(entry) when is_binary(entry), do: entry 290 290 + 291 291 + defp serialise_authentication_entry(%VerificationMethod{} = vm), 292 292 + do: VerificationMethod.to_json(vm) 293 293 + 294 294 + @spec maybe_put(map(), String.t(), any()) :: map() 295 295 + defp maybe_put(map, _key, nil), do: map 296 296 + defp maybe_put(map, _key, []), do: map 297 297 + defp maybe_put(map, key, value), do: Map.put(map, key, value) 298 298 + 299 299 + @spec valid_pds_endpoint?(String.t()) :: boolean() 300 300 + defp valid_pds_endpoint?(endpoint) do 301 301 + case URI.new(endpoint) do 302 302 + {:ok, uri} -> 303 303 + is_plain_uri = 304 304 + uri 305 305 + |> Map.from_struct() 306 306 + |> Enum.all?(fn 307 307 + {key, value} when key in [:userinfo, :path, :query, :fragment] -> is_nil(value) 308 308 + _ -> true 309 309 + end) 310 310 + 311 311 + uri.scheme in ["https", "http"] and is_plain_uri 312 312 + 313 313 + _ -> 314 314 + false 315 315 + end 316 316 + end 317 317 + end 318 318 + 319 319 + defimpl JSON.Encoder, for: Atex.DID.Document do 320 320 + def encode(value, encoder), do: JSON.encode!(Atex.DID.Document.to_json(value), encoder) 321 321 + end

+102

lib/atex/did/document/service.ex

reviewed

··· 1 1 + defmodule Atex.DID.Document.Service do 2 2 + @moduledoc """ 3 3 + Struct and schema for a `service` entry in a DID document. 4 4 + 5 5 + Each service entry describes a network endpoint associated with the DID subject. 6 6 + In atproto, the most relevant service is the PDS (Personal Data Server), identified 7 7 + by the `#atproto_pds` fragment and type `"AtprotoPersonalDataServer"`. 8 8 + 9 9 + ## Fields 10 10 + 11 11 + - `:id` - URI identifying the service, typically a DID fragment (e.g. `"#atproto_pds"` 12 12 + or the fully-qualified form `"did:plc:abc123#atproto_pds"`). 13 13 + - `:type` - Service type string or list of type strings. 14 14 + - `:service_endpoint` - The endpoint URI, a map of URIs, or a list of either. 15 15 + """ 16 16 + import Peri 17 17 + use TypedStruct 18 18 + 19 19 + @typedoc "A service endpoint: a URI string, a map of URI strings, or a list of either." 20 20 + @type endpoint() :: 21 21 + String.t() 22 22 + | %{String.t() => String.t()} 23 23 + | list(String.t() | %{String.t() => String.t()}) 24 24 + 25 25 + defschema :schema, %{ 26 26 + id: {:required, Atex.Peri.uri()}, 27 27 + type: {:required, {:either, {:string, {:list, :string}}}}, 28 28 + service_endpoint: 29 29 + {:required, 30 30 + {:oneof, 31 31 + [ 32 32 + Atex.Peri.uri(), 33 33 + {:map, Atex.Peri.uri()}, 34 34 + {:list, {:either, {Atex.Peri.uri(), {:map, Atex.Peri.uri()}}}} 35 35 + ]}} 36 36 + } 37 37 + 38 38 + typedstruct do 39 39 + field :id, String.t(), enforce: true 40 40 + field :type, String.t() | list(String.t()), enforce: true 41 41 + field :service_endpoint, endpoint(), enforce: true 42 42 + end 43 43 + 44 44 + @doc """ 45 45 + Validates and builds a `Service` struct from a map (snake_case or camelCase keys). 46 46 + 47 47 + Returns `{:ok, t()}` on success, or `{:error, Peri.Error.t()}` on validation failure. 48 48 + 49 49 + ## Examples 50 50 + 51 51 + iex> Atex.DID.Document.Service.new(%{ 52 52 + ...> "id" => "#atproto_pds", 53 53 + ...> "type" => "AtprotoPersonalDataServer", 54 54 + ...> "serviceEndpoint" => "https://pds.example.com" 55 55 + ...> }) 56 56 + {:ok, %Atex.DID.Document.Service{ 57 57 + id: "#atproto_pds", 58 58 + type: "AtprotoPersonalDataServer", 59 59 + service_endpoint: "https://pds.example.com" 60 60 + }} 61 61 + """ 62 62 + @spec new(map()) :: {:ok, t()} | {:error, Peri.Error.t()} 63 63 + def new(%{} = map) do 64 64 + map 65 65 + |> Recase.Enumerable.convert_keys(&Recase.to_snake/1) 66 66 + |> schema() 67 67 + |> case do 68 68 + {:ok, params} -> {:ok, struct(__MODULE__, params)} 69 69 + e -> e 70 70 + end 71 71 + end 72 72 + 73 73 + @doc """ 74 74 + Converts a `Service` struct to a camelCase map suitable for JSON serialisation. 75 75 + 76 76 + ## Examples 77 77 + 78 78 + iex> svc = %Atex.DID.Document.Service{ 79 79 + ...> id: "#atproto_pds", 80 80 + ...> type: "AtprotoPersonalDataServer", 81 81 + ...> service_endpoint: "https://pds.example.com" 82 82 + ...> } 83 83 + iex> Atex.DID.Document.Service.to_json(svc) 84 84 + %{ 85 85 + "id" => "#atproto_pds", 86 86 + "type" => "AtprotoPersonalDataServer", 87 87 + "serviceEndpoint" => "https://pds.example.com" 88 88 + } 89 89 + """ 90 90 + @spec to_json(t()) :: map() 91 91 + def to_json(%__MODULE__{} = service) do 92 92 + %{ 93 93 + "id" => service.id, 94 94 + "type" => service.type, 95 95 + "serviceEndpoint" => service.service_endpoint 96 96 + } 97 97 + end 98 98 + end 99 99 + 100 100 + defimpl JSON.Encoder, for: Atex.DID.Document.Service do 101 101 + def encode(value, encoder), do: JSON.encode!(Atex.DID.Document.Service.to_json(value), encoder) 102 102 + end

+152

lib/atex/did/document/verification_method.ex

reviewed

··· 1 1 + defmodule Atex.DID.Document.VerificationMethod do 2 2 + @moduledoc """ 3 3 + Struct and schema for a `verificationMethod` entry in a DID document. 4 4 + 5 5 + Internally, public keys are always stored as `JOSE.JWK` structs regardless of the 6 6 + wire encoding. Both the current `Multikey` format and the legacy 7 7 + `EcdsaSecp256r1VerificationKey2019` / `EcdsaSecp256k1VerificationKey2019` formats 8 8 + are accepted during parsing. 9 9 + 10 10 + ## Wire formats 11 11 + 12 12 + **Current (`Multikey`)** 13 13 + 14 14 + ```json 15 15 + { 16 16 + "id": "did:plc:abc123#atproto", 17 17 + "type": "Multikey", 18 18 + "controller": "did:plc:abc123", 19 19 + "publicKeyMultibase": "zDnaembgSGUhZULN2Caob4HLJPaxBh92N7rtH21TErzqf8HQo" 20 20 + } 21 21 + ``` 22 22 + 23 23 + **Legacy (uncompressed multibase, curve identified by `type`)** 24 24 + 25 25 + ```json 26 26 + { 27 27 + "id": "#atproto", 28 28 + "type": "EcdsaSecp256k1VerificationKey2019", 29 29 + "controller": "did:plc:abc123", 30 30 + "publicKeyMultibase": "zQYEBzXeuTM9UR3rfvNag6L3RNAs5pQZyYPsomTsgQhsxLdEgCrPTLgFna8yqCnxPpNT7DBk6Ym3dgPKNu86vt9GR" 31 31 + } 32 32 + ``` 33 33 + 34 34 + ## Fields 35 35 + 36 36 + - `:id` - URI identifying the key, typically a DID fragment (e.g. `"#atproto"`). 37 37 + - `:type` - Key type string (e.g. `"Multikey"`). 38 38 + - `:controller` - DID of the entity that controls this key. 39 39 + - `:public_key_jwk` - The public key as a `JOSE.JWK` struct, or `nil` if the wire 40 40 + format could not be decoded. 41 41 + """ 42 42 + import Peri 43 43 + use TypedStruct 44 44 + 45 45 + @legacy_types ~w(EcdsaSecp256r1VerificationKey2019 EcdsaSecp256k1VerificationKey2019) 46 46 + 47 47 + defschema :schema, %{ 48 48 + id: {:required, Atex.Peri.uri()}, 49 49 + type: {:required, :string}, 50 50 + controller: {:required, Atex.Peri.did()}, 51 51 + public_key_multibase: :string 52 52 + } 53 53 + 54 54 + typedstruct do 55 55 + field :id, String.t(), enforce: true 56 56 + field :type, String.t(), enforce: true 57 57 + field :controller, String.t(), enforce: true 58 58 + field :public_key_jwk, JOSE.JWK.t() | nil 59 59 + end 60 60 + 61 61 + @doc """ 62 62 + Validates and builds a `VerificationMethod` struct from a raw map. 63 63 + 64 64 + Accepts camelCase or snake_case keys. The public key in `publicKeyMultibase` - whether 65 65 + in the current `Multikey` format or the legacy uncompressed format - is decoded and stored 66 66 + as `public_key_jwk`. 67 67 + 68 68 + Returns `{:ok, t()}` on success, or `{:error, term()}` on validation or decode failure. 69 69 + 70 70 + ## Examples 71 71 + 72 72 + iex> Atex.DID.Document.VerificationMethod.new(%{ 73 73 + ...> "id" => "did:plc:abc123#atproto", 74 74 + ...> "type" => "Multikey", 75 75 + ...> "controller" => "did:plc:abc123", 76 76 + ...> "publicKeyMultibase" => "zDnaembgSGUhZULN2Caob4HLJPaxBh92N7rtH21TErzqf8HQo" 77 77 + ...> }) 78 78 + {:ok, %Atex.DID.Document.VerificationMethod{ 79 79 + id: "did:plc:abc123#atproto", 80 80 + type: "Multikey", 81 81 + controller: "did:plc:abc123", 82 82 + public_key_jwk: %JOSE.JWK{} 83 83 + }} 84 84 + """ 85 85 + @spec new(map()) :: {:ok, t()} | {:error, term()} 86 86 + def new(%{} = map) do 87 87 + snake = Recase.Enumerable.convert_keys(map, &Recase.to_snake/1) 88 88 + 89 89 + with {:ok, params} <- schema(snake) do 90 90 + jwk = resolve_public_key(params) 91 91 + {:ok, struct(__MODULE__, Map.put(params, :public_key_jwk, jwk))} 92 92 + end 93 93 + end 94 94 + 95 95 + @doc """ 96 96 + Converts a `VerificationMethod` struct to a camelCase map for JSON serialisation. 97 97 + 98 98 + The public key is always emitted in the canonical `Multikey` / `publicKeyMultibase` 99 99 + format. If no public key is present, `"publicKeyMultibase"` is omitted. 100 100 + 101 101 + ## Examples 102 102 + 103 103 + iex> {:ok, vm} = Atex.DID.Document.VerificationMethod.new(%{ 104 104 + ...> "id" => "did:plc:abc123#atproto", 105 105 + ...> "type" => "Multikey", 106 106 + ...> "controller" => "did:plc:abc123", 107 107 + ...> "publicKeyMultibase" => "zDnaembgSGUhZULN2Caob4HLJPaxBh92N7rtH21TErzqf8HQo" 108 108 + ...> }) 109 109 + iex> json = Atex.DID.Document.VerificationMethod.to_json(vm) 110 110 + iex> json["type"] 111 111 + "Multikey" 112 112 + iex> is_binary(json["publicKeyMultibase"]) 113 113 + true 114 114 + """ 115 115 + @spec to_json(t()) :: map() 116 116 + def to_json(%__MODULE__{} = vm) do 117 117 + base = %{ 118 118 + "id" => vm.id, 119 119 + "type" => "Multikey", 120 120 + "controller" => vm.controller 121 121 + } 122 122 + 123 123 + case vm.public_key_jwk && Atex.Crypto.encode_did_key(vm.public_key_jwk) do 124 124 + {:ok, multibase} -> Map.put(base, "publicKeyMultibase", multibase) 125 125 + _ -> base 126 126 + end 127 127 + end 128 128 + 129 129 + # Resolve the public key from validated (snake_case) params to a JOSE.JWK or nil. 130 130 + @spec resolve_public_key(map()) :: JOSE.JWK.t() | nil 131 131 + defp resolve_public_key(%{type: type, public_key_multibase: multibase}) 132 132 + when type in @legacy_types and is_binary(multibase) do 133 133 + case Atex.Crypto.decode_legacy_multibase(type, multibase) do 134 134 + {:ok, jwk} -> jwk 135 135 + _ -> nil 136 136 + end 137 137 + end 138 138 + 139 139 + defp resolve_public_key(%{public_key_multibase: multibase}) when is_binary(multibase) do 140 140 + case Atex.Crypto.decode_did_key(multibase) do 141 141 + {:ok, jwk} -> jwk 142 142 + _ -> nil 143 143 + end 144 144 + end 145 145 + 146 146 + defp resolve_public_key(_), do: nil 147 147 + end 148 148 + 149 149 + defimpl JSON.Encoder, for: Atex.DID.Document.VerificationMethod do 150 150 + def encode(value, encoder), 151 151 + do: JSON.encode!(Atex.DID.Document.VerificationMethod.to_json(value), encoder) 152 152 + end

+1 -1

lib/atex/identity_resolver.ex

reviewed

··· 1 1 defmodule Atex.IdentityResolver do 2 2 alias Atex.IdentityResolver.{Cache, DID, Handle, Identity} 3 3 - alias Atex.PLC.DIDDocument 3 3 + alias Atex.DID.Document, as: DIDDocument 4 4 5 5 @handle_strategy Application.compile_env(:atex, :handle_resolver_strategy, :dns_first) 6 6 @type options() :: {:skip_cache, boolean()}

+5 -5

lib/atex/identity_resolver/did.ex

reviewed

··· 1 1 defmodule Atex.IdentityResolver.DID do 2 2 - alias Atex.PLC 2 2 + alias Atex.{DID, PLC} 3 3 4 4 @type resolution_result() :: 5 5 - {:ok, PLC.DIDDocument.t()} 5 5 + {:ok, DID.Document.t()} 6 6 | {:error, :invalid_did_type | :invalid_did | :not_found | map() | atom() | any()} 7 7 8 8 @spec resolve(String.t()) :: resolution_result() ··· 14 14 @spec resolve_plc(String.t()) :: resolution_result() 15 15 defp resolve_plc("did:plc:" <> _id = did) do 16 16 with {:ok, document} <- PLC.resolve_did(did), 17 17 - :ok <- PLC.DIDDocument.validate_for_atproto(document, did) do 17 17 + :ok <- DID.Document.validate_for_atproto(document, did) do 18 18 {:ok, document} 19 19 end 20 20 end ··· 24 24 with {:ok, resp} when resp.status in 200..299 <- 25 25 Req.get("https://#{domain}/.well-known/did.json"), 26 26 {:ok, body} <- decode_body(resp.body), 27 27 - {:ok, document} <- PLC.DIDDocument.from_json(body), 28 28 - :ok <- PLC.DIDDocument.validate_for_atproto(document, did) do 27 27 + {:ok, document} <- DID.Document.new(body), 28 28 + :ok <- DID.Document.validate_for_atproto(document, did) do 29 29 {:ok, document} 30 30 else 31 31 {:ok, %{status: 404}} -> {:error, :not_found}

+1 -1

lib/atex/identity_resolver/identity.ex

reviewed

··· 12 12 @typedoc """ 13 13 The resolved DID document for an identity. 14 14 """ 15 15 - @type document() :: Atex.PLC.DIDDocument.t() 15 15 + @type document() :: Atex.DID.Document.t() 16 16 17 17 typedstruct do 18 18 field :did, did(), enforce: true

+3 -3

lib/atex/oauth/plug.ex

reviewed

··· 93 93 require Logger 94 94 use Plug.Router 95 95 require Plug.Router 96 96 - alias Atex.{IdentityResolver, OAuth, PLC.DIDDocument} 96 96 + alias Atex.{DID, IdentityResolver, OAuth} 97 97 98 98 @oauth_cookie_opts [path: "/", http_only: true, secure: true, same_site: "lax", max_age: 600] 99 99 @session_name :atex_session ··· 129 129 130 130 case IdentityResolver.resolve(handle) do 131 131 {:ok, identity} -> 132 132 - pds = DIDDocument.get_pds_endpoint(identity.document) 132 132 + pds = DID.Document.get_pds_endpoint(identity.document) 133 133 {:ok, authz_server} = OAuth.get_authorization_server(pds) 134 134 {:ok, authz_metadata} = OAuth.get_authorization_server_metadata(authz_server) 135 135 state = OAuth.create_nonce() ··· 195 195 ), 196 196 {:ok, identity} <- IdentityResolver.resolve(tokens.did), 197 197 # Make sure pds' issuer matches the stored one (just in case) 198 198 - pds <- DIDDocument.get_pds_endpoint(identity.document), 198 198 + pds <- DID.Document.get_pds_endpoint(identity.document), 199 199 {:ok, authz_server} <- OAuth.get_authorization_server(pds), 200 200 true <- authz_server == stored_issuer do 201 201 session = %OAuth.Session{

+6 -6

lib/atex/plc.ex

reviewed

··· 25 25 - `:not_found` - The DID is not registered (HTTP 404). 26 26 - `:tombstoned` - The DID has been permanently deactivated (HTTP 410). 27 27 - `:invalid_document` - The server returned a body that could not be parsed 28 28 - into a `DIDDocument`. 28 28 + into an `Atex.DID.Document`. 29 29 - `{:invalid_operation, message}` - The submitted operation was rejected by 30 30 the server, with an explanatory message (HTTP 400). 31 31 - `:invalid_operation` - The submitted operation was rejected without a ··· 39 39 @type create_op_error() :: 40 40 {:error, {:invalid_operation, message :: String.t()} | :invalid_operation} | error() 41 41 42 42 - alias Atex.PLC.DIDDocument 42 42 + alias Atex.DID 43 43 44 44 @doc """ 45 45 Resolves the DID Document for the given `did:plc` identifier. 46 46 47 47 Fetches the current DID Document from the directory server and parses it into 48 48 - an `Atex.PLC.DIDDocument` struct. 48 48 + an `Atex.DID.Document` struct. 49 49 50 50 ## Parameters 51 51 ··· 55 55 ## Examples 56 56 57 57 iex> Atex.PLC.resolve_did("did:plc:ewvi7nxzyoun6zhxrhs64oiz") 58 58 - {:ok, %Atex.PLC.DIDDocument{...}} 58 58 + {:ok, %Atex.DID.Document{...}} 59 59 60 60 iex> Atex.PLC.resolve_did("did:plc:doesnotexist") 61 61 {:error, :not_found} 62 62 """ 63 63 - @spec resolve_did(String.t(), keyword()) :: {:ok, DIDDocument.t()} | error() 63 63 + @spec resolve_did(String.t(), keyword()) :: {:ok, DID.Document.t()} | error() 64 64 def resolve_did(did, opts \\ []) do 65 65 opts 66 66 |> host() ··· 69 69 |> handle_response() 70 70 |> case do 71 71 {:ok, body} -> 72 72 - case DIDDocument.from_json(body) do 72 72 + case DID.Document.new(body) do 73 73 {:ok, document} -> {:ok, document} 74 74 {:error, _reason} -> {:error, :invalid_document} 75 75 end

-174

lib/atex/plc/did_document.ex

reviewed

··· 1 1 - defmodule Atex.PLC.DIDDocument do 2 2 - @moduledoc """ 3 3 - Struct and schema for describing and validating a [DID document](https://github.com/w3c/did-wg/blob/main/did-explainer.md#did-documents). 4 4 - """ 5 5 - import Peri 6 6 - use TypedStruct 7 7 - 8 8 - defschema :schema, %{ 9 9 - "@context": {:required, {:list, Atex.Peri.uri()}}, 10 10 - id: {:required, :string}, 11 11 - controller: {:either, {Atex.Peri.did(), {:list, Atex.Peri.did()}}}, 12 12 - also_known_as: {:list, Atex.Peri.uri()}, 13 13 - verification_method: {:list, get_schema(:verification_method)}, 14 14 - authentication: {:list, {:either, {Atex.Peri.uri(), get_schema(:verification_method)}}}, 15 15 - service: {:list, get_schema(:service)} 16 16 - } 17 17 - 18 18 - defschema :verification_method, %{ 19 19 - id: {:required, Atex.Peri.uri()}, 20 20 - type: {:required, :string}, 21 21 - controller: {:required, Atex.Peri.did()}, 22 22 - public_key_multibase: :string, 23 23 - public_key_jwk: :map 24 24 - } 25 25 - 26 26 - defschema :service, %{ 27 27 - id: {:required, Atex.Peri.uri()}, 28 28 - type: {:required, {:either, {:string, {:list, :string}}}}, 29 29 - service_endpoint: 30 30 - {:required, 31 31 - {:oneof, 32 32 - [ 33 33 - Atex.Peri.uri(), 34 34 - {:map, Atex.Peri.uri()}, 35 35 - {:list, {:either, {Atex.Peri.uri(), {:map, Atex.Peri.uri()}}}} 36 36 - ]}} 37 37 - } 38 38 - 39 39 - @type verification_method() :: %{ 40 40 - required(:id) => String.t(), 41 41 - required(:type) => String.t(), 42 42 - required(:controller) => String.t(), 43 43 - optional(:public_key_multibase) => String.t(), 44 44 - optional(:public_key_jwk) => map() 45 45 - } 46 46 - 47 47 - @type service() :: %{ 48 48 - required(:id) => String.t(), 49 49 - required(:type) => String.t() | list(String.t()), 50 50 - required(:service_endpoint) => 51 51 - String.t() 52 52 - | %{String.t() => String.t()} 53 53 - | list(String.t() | %{String.t() => String.t()}) 54 54 - } 55 55 - 56 56 - typedstruct do 57 57 - field :"@context", list(String.t()), enforce: true 58 58 - field :id, String.t(), enforce: true 59 59 - field :controller, String.t() | list(String.t()) 60 60 - field :also_known_as, list(String.t()) 61 61 - field :verification_method, list(verification_method()) 62 62 - field :authentication, list(String.t() | verification_method()) 63 63 - field :service, list(service()) 64 64 - end 65 65 - 66 66 - def new(params), do: struct(__MODULE__, params) 67 67 - 68 68 - @spec from_json(map()) :: {:ok, t()} | {:error, Peri.Error.t()} 69 69 - def from_json(%{} = map) do 70 70 - map 71 71 - |> Recase.Enumerable.convert_keys(&Recase.to_snake/1) 72 72 - |> schema() 73 73 - |> case do 74 74 - {:ok, params} -> {:ok, new(params)} 75 75 - e -> e 76 76 - end 77 77 - end 78 78 - 79 79 - @spec validate_for_atproto(t(), String.t()) :: any() 80 80 - def validate_for_atproto(%__MODULE__{} = doc, did) do 81 81 - id_matches = doc.id == did 82 82 - 83 83 - valid_signing_key = 84 84 - Enum.any?(doc.verification_method, fn method -> 85 85 - String.ends_with?(method.id, "#atproto") and method.controller == did 86 86 - end) 87 87 - 88 88 - valid_pds_service = 89 89 - Enum.any?(doc.service, fn service -> 90 90 - String.ends_with?(service.id, "#atproto_pds") and 91 91 - service.type == "AtprotoPersonalDataServer" and 92 92 - valid_pds_endpoint?(service.service_endpoint) 93 93 - end) 94 94 - 95 95 - case {id_matches, valid_signing_key, valid_pds_service} do 96 96 - {true, true, true} -> :ok 97 97 - {false, _, _} -> {:error, :id_mismatch} 98 98 - {_, false, _} -> {:error, :no_signing_key} 99 99 - {_, _, false} -> {:error, :invalid_pds} 100 100 - end 101 101 - end 102 102 - 103 103 - @doc """ 104 104 - Get the associated ATProto handle in the DID document. 105 105 - 106 106 - ATProto dictates that only the first valid handle is to be used, so this 107 107 - follows that rule. 108 108 - 109 109 - > #### Note {: .info} 110 110 - > 111 111 - > While DID documents are fairly authoritative, you need to make sure to 112 112 - > validate the handle bidirectionally. See 113 113 - > `Atex.IdentityResolver.Handle.resolve/2`. 114 114 - """ 115 115 - @spec get_atproto_handle(t()) :: String.t() | nil 116 116 - def get_atproto_handle(%__MODULE__{also_known_as: nil}), do: nil 117 117 - 118 118 - def get_atproto_handle(%__MODULE__{} = doc) do 119 119 - Enum.find_value(doc.also_known_as, fn 120 120 - # TODO: make sure no path or other URI parts 121 121 - "at://" <> handle -> handle 122 122 - _ -> nil 123 123 - end) 124 124 - end 125 125 - 126 126 - @spec get_pds_endpoint(t()) :: String.t() | nil 127 127 - def get_pds_endpoint(%__MODULE__{} = doc) do 128 128 - doc.service 129 129 - |> Enum.find(fn 130 130 - %{id: "#atproto_pds", type: "AtprotoPersonalDataServer"} -> true 131 131 - _ -> false 132 132 - end) 133 133 - |> case do 134 134 - nil -> nil 135 135 - pds -> pds.service_endpoint 136 136 - end 137 137 - end 138 138 - 139 139 - @spec get_atproto_signing_key(t()) :: JOSE.JWK.t() | nil 140 140 - def get_atproto_signing_key(%__MODULE__{} = doc) do 141 141 - doc.verification_method 142 142 - |> Enum.find(fn 143 143 - %{id: id} -> String.ends_with?(id, "#atproto") 144 144 - end) 145 145 - |> case do 146 146 - nil -> 147 147 - nil 148 148 - 149 149 - %{public_key_multibase: multibase} -> 150 150 - {:ok, jwk} = Atex.Crypto.decode_did_key(multibase) 151 151 - jwk 152 152 - 153 153 - # TODO 154 154 - _ -> 155 155 - raise ArgumentError, message: "Legacy verification method keys are not yet supported" 156 156 - # %{public_key_jwk: jwk} -> nil 157 157 - end 158 158 - end 159 159 - 160 160 - defp valid_pds_endpoint?(endpoint) do 161 161 - case URI.new(endpoint) do 162 162 - {:ok, uri} -> 163 163 - is_plain_uri = 164 164 - uri 165 165 - |> Map.from_struct() 166 166 - |> Enum.all?(fn 167 167 - {key, value} when key in [:userinfo, :path, :query, :fragment] -> is_nil(value) 168 168 - _ -> true 169 169 - end) 170 170 - 171 171 - uri.scheme in ["https", "http"] and is_plain_uri 172 172 - end 173 173 - end 174 174 - end

+1 -1

lib/atex/service_auth.ex

reviewed

··· 123 123 # the signing key from their DID document to verify the token 124 124 {:ok, identity} <- Atex.IdentityResolver.resolve(issuing_did), 125 125 user_jwk when not is_nil(user_jwk) <- 126 126 - Atex.PLC.DIDDocument.get_atproto_signing_key(identity.document), 126 126 + Atex.DID.Document.get_atproto_signing_key(identity.document), 127 127 {true, %JOSE.JWT{} = jwt_struct, _jws} <- JOSE.JWT.verify(user_jwk, jwt), 128 128 # Record the nonce atomically after successful verification. insert_new 129 129 # is used under the hood so this returns :seen if the jti was already

+1 -1

mix.exs

reviewed

··· 67 67 groups_for_modules: [ 68 68 "Data types": [Atex.AtURI, Atex.DID, Atex.Handle, Atex.NSID, Atex.TID], 69 69 XRPC: ~r/^Atex\.XRPC/, 70 70 - PLC: [Atex.PLC, Atex.PLC.DIDDocument], 70 70 + PLC: [Atex.PLC], 71 71 OAuth: [Atex.Config.OAuth, ~r/^Atex\.OAuth/], 72 72 Identity: [Atex.Config.IdentityResolver, ~r/^Atex\.IdentityResolver/], 73 73 Lexicons: ~r/^Atex\.Lexicon/,

+77

test/atex/did/document/service_test.exs

reviewed

··· 1 1 + defmodule Atex.DID.Document.ServiceTest do 2 2 + use ExUnit.Case, async: true 3 3 + alias Atex.DID.Document.Service 4 4 + doctest Service 5 5 + 6 6 + describe "new/1" do 7 7 + test "parses camelCase wire format" do 8 8 + assert {:ok, svc} = 9 9 + Service.new(%{ 10 10 + "id" => "#atproto_pds", 11 11 + "type" => "AtprotoPersonalDataServer", 12 12 + "serviceEndpoint" => "https://pds.example.com" 13 13 + }) 14 14 + 15 15 + assert svc.id == "#atproto_pds" 16 16 + assert svc.type == "AtprotoPersonalDataServer" 17 17 + assert svc.service_endpoint == "https://pds.example.com" 18 18 + end 19 19 + 20 20 + test "parses snake_case keys" do 21 21 + assert {:ok, svc} = 22 22 + Service.new(%{ 23 23 + id: "#atproto_pds", 24 24 + type: "AtprotoPersonalDataServer", 25 25 + service_endpoint: "https://pds.example.com" 26 26 + }) 27 27 + 28 28 + assert svc.service_endpoint == "https://pds.example.com" 29 29 + end 30 30 + 31 31 + test "accepts a list type" do 32 32 + assert {:ok, svc} = 33 33 + Service.new(%{ 34 34 + "id" => "#multi", 35 35 + "type" => ["TypeA", "TypeB"], 36 36 + "serviceEndpoint" => "https://example.com" 37 37 + }) 38 38 + 39 39 + assert svc.type == ["TypeA", "TypeB"] 40 40 + end 41 41 + 42 42 + test "returns error when required field missing" do 43 43 + assert {:error, _} = 44 44 + Service.new(%{ 45 45 + "type" => "AtprotoPersonalDataServer", 46 46 + "serviceEndpoint" => "https://pds.example.com" 47 47 + }) 48 48 + end 49 49 + end 50 50 + 51 51 + describe "to_json/1" do 52 52 + test "produces camelCase map" do 53 53 + svc = %Service{ 54 54 + id: "#atproto_pds", 55 55 + type: "AtprotoPersonalDataServer", 56 56 + service_endpoint: "https://pds.example.com" 57 57 + } 58 58 + 59 59 + json = Service.to_json(svc) 60 60 + assert json["id"] == "#atproto_pds" 61 61 + assert json["type"] == "AtprotoPersonalDataServer" 62 62 + assert json["serviceEndpoint"] == "https://pds.example.com" 63 63 + refute Map.has_key?(json, "service_endpoint") 64 64 + end 65 65 + 66 66 + test "round-trips new -> to_json" do 67 67 + input = %{ 68 68 + "id" => "#atproto_pds", 69 69 + "type" => "AtprotoPersonalDataServer", 70 70 + "serviceEndpoint" => "https://pds.example.com" 71 71 + } 72 72 + 73 73 + assert {:ok, svc} = Service.new(input) 74 74 + assert Service.to_json(svc) == input 75 75 + end 76 76 + end 77 77 + end

+159

test/atex/did/document/verification_method_test.exs

reviewed

··· 1 1 + defmodule Atex.DID.Document.VerificationMethodTest do 2 2 + use ExUnit.Case, async: true 3 3 + alias Atex.DID.Document.VerificationMethod 4 4 + 5 5 + # Spec example legacy K-256 key from https://atproto.com/specs/did#legacy-representation 6 6 + @legacy_k256_multibase "zQYEBzXeuTM9UR3rfvNag6L3RNAs5pQZyYPsomTsgQhsxLdEgCrPTLgFna8yqCnxPpNT7DBk6Ym3dgPKNu86vt9GR" 7 7 + # The same key in Multikey (compressed) format 8 8 + @multikey_k256 "zQ3shXjHeiBuRCKmM36cuYnm7YEMzhGnCmCyW92sRJ9pribSF" 9 9 + 10 10 + describe "new/1 - Multikey format" do 11 11 + test "parses a Multikey verificationMethod into a JOSE.JWK" do 12 12 + assert {:ok, vm} = 13 13 + VerificationMethod.new(%{ 14 14 + "id" => "did:plc:abc123#atproto", 15 15 + "type" => "Multikey", 16 16 + "controller" => "did:plc:abc123", 17 17 + "publicKeyMultibase" => @multikey_k256 18 18 + }) 19 19 + 20 20 + assert vm.id == "did:plc:abc123#atproto" 21 21 + assert vm.type == "Multikey" 22 22 + assert vm.controller == "did:plc:abc123" 23 23 + assert %JOSE.JWK{} = vm.public_key_jwk 24 24 + {_, map} = JOSE.JWK.to_map(vm.public_key_jwk) 25 25 + assert map["crv"] == "secp256k1" 26 26 + end 27 27 + 28 28 + test "parses a P-256 Multikey" do 29 29 + p256_mk = "zDnaembgSGUhZULN2Caob4HLJPaxBh92N7rtH21TErzqf8HQo" 30 30 + 31 31 + assert {:ok, vm} = 32 32 + VerificationMethod.new(%{ 33 33 + "id" => "#atproto", 34 34 + "type" => "Multikey", 35 35 + "controller" => "did:plc:abc123", 36 36 + "publicKeyMultibase" => p256_mk 37 37 + }) 38 38 + 39 39 + {_, map} = JOSE.JWK.to_map(vm.public_key_jwk) 40 40 + assert map["crv"] == "P-256" 41 41 + end 42 42 + end 43 43 + 44 44 + describe "new/1 - legacy uncompressed multibase format" do 45 45 + test "parses a legacy EcdsaSecp256k1VerificationKey2019 entry" do 46 46 + assert {:ok, vm} = 47 47 + VerificationMethod.new(%{ 48 48 + "id" => "#atproto", 49 49 + "type" => "EcdsaSecp256k1VerificationKey2019", 50 50 + "controller" => "did:plc:abc123", 51 51 + "publicKeyMultibase" => @legacy_k256_multibase 52 52 + }) 53 53 + 54 54 + assert %JOSE.JWK{} = vm.public_key_jwk 55 55 + {_, map} = JOSE.JWK.to_map(vm.public_key_jwk) 56 56 + assert map["crv"] == "secp256k1" 57 57 + end 58 58 + 59 59 + test "legacy and Multikey entries for the same key produce the same JWK" do 60 60 + {:ok, vm_legacy} = 61 61 + VerificationMethod.new(%{ 62 62 + "id" => "#atproto", 63 63 + "type" => "EcdsaSecp256k1VerificationKey2019", 64 64 + "controller" => "did:plc:abc123", 65 65 + "publicKeyMultibase" => @legacy_k256_multibase 66 66 + }) 67 67 + 68 68 + {:ok, vm_current} = 69 69 + VerificationMethod.new(%{ 70 70 + "id" => "#atproto", 71 71 + "type" => "Multikey", 72 72 + "controller" => "did:plc:abc123", 73 73 + "publicKeyMultibase" => @multikey_k256 74 74 + }) 75 75 + 76 76 + {_, legacy_map} = JOSE.JWK.to_map(vm_legacy.public_key_jwk) 77 77 + {_, current_map} = JOSE.JWK.to_map(vm_current.public_key_jwk) 78 78 + assert legacy_map["x"] == current_map["x"] 79 79 + assert legacy_map["y"] == current_map["y"] 80 80 + end 81 81 + 82 82 + test "parses a legacy EcdsaSecp256r1VerificationKey2019 entry" do 83 83 + priv = JOSE.JWK.generate_key({:ec, "P-256"}) 84 84 + pub = JOSE.JWK.to_public(priv) 85 85 + {_, map} = JOSE.JWK.to_map(pub) 86 86 + 87 87 + x = Base.url_decode64!(map["x"], padding: false) 88 88 + y = Base.url_decode64!(map["y"], padding: false) 89 89 + uncompressed = <<0x04>> <> x <> y 90 90 + legacy_mb = Multiformats.Multibase.encode(uncompressed, :base58btc) 91 91 + 92 92 + assert {:ok, vm} = 93 93 + VerificationMethod.new(%{ 94 94 + "id" => "#atproto", 95 95 + "type" => "EcdsaSecp256r1VerificationKey2019", 96 96 + "controller" => "did:plc:abc123", 97 97 + "publicKeyMultibase" => legacy_mb 98 98 + }) 99 99 + 100 100 + {_, decoded_map} = JOSE.JWK.to_map(vm.public_key_jwk) 101 101 + assert decoded_map["x"] == map["x"] 102 102 + assert decoded_map["y"] == map["y"] 103 103 + end 104 104 + end 105 105 + 106 106 + describe "to_json/1" do 107 107 + test "emits Multikey format regardless of input format" do 108 108 + assert {:ok, vm} = 109 109 + VerificationMethod.new(%{ 110 110 + "id" => "#atproto", 111 111 + "type" => "EcdsaSecp256k1VerificationKey2019", 112 112 + "controller" => "did:plc:abc123", 113 113 + "publicKeyMultibase" => @legacy_k256_multibase 114 114 + }) 115 115 + 116 116 + json = VerificationMethod.to_json(vm) 117 117 + assert json["type"] == "Multikey" 118 118 + assert is_binary(json["publicKeyMultibase"]) 119 119 + assert String.starts_with?(json["publicKeyMultibase"], "z") 120 120 + refute Map.has_key?(json, "publicKeyJwk") 121 121 + end 122 122 + 123 123 + test "round-trips Multikey -> to_json" do 124 124 + assert {:ok, vm} = 125 125 + VerificationMethod.new(%{ 126 126 + "id" => "did:plc:abc123#atproto", 127 127 + "type" => "Multikey", 128 128 + "controller" => "did:plc:abc123", 129 129 + "publicKeyMultibase" => @multikey_k256 130 130 + }) 131 131 + 132 132 + json = VerificationMethod.to_json(vm) 133 133 + assert json["publicKeyMultibase"] == @multikey_k256 134 134 + end 135 135 + 136 136 + test "omits publicKeyMultibase when no key is present" do 137 137 + vm = %VerificationMethod{ 138 138 + id: "#atproto", 139 139 + type: "Multikey", 140 140 + controller: "did:plc:abc123", 141 141 + public_key_jwk: nil 142 142 + } 143 143 + 144 144 + json = VerificationMethod.to_json(vm) 145 145 + refute Map.has_key?(json, "publicKeyMultibase") 146 146 + end 147 147 + end 148 148 + 149 149 + describe "new/1 - error cases" do 150 150 + test "returns error when required field is missing" do 151 151 + assert {:error, _} = 152 152 + VerificationMethod.new(%{ 153 153 + "type" => "Multikey", 154 154 + "controller" => "did:plc:abc123", 155 155 + "publicKeyMultibase" => @multikey_k256 156 156 + }) 157 157 + end 158 158 + end 159 159 + end

+205

test/atex/did/document_test.exs

reviewed

··· 1 1 + defmodule Atex.DID.DocumentTest do 2 2 + use ExUnit.Case, async: true 3 3 + alias Atex.DID.Document 4 4 + alias Atex.DID.Document.{Service, VerificationMethod} 5 5 + 6 6 + @p256_multikey "zDnaembgSGUhZULN2Caob4HLJPaxBh92N7rtH21TErzqf8HQo" 7 7 + 8 8 + @valid_doc %{ 9 9 + "@context" => ["https://www.w3.org/ns/did/v1"], 10 10 + "id" => "did:plc:abc123", 11 11 + "alsoKnownAs" => ["at://alice.example.com"], 12 12 + "verificationMethod" => [ 13 13 + %{ 14 14 + "id" => "did:plc:abc123#atproto", 15 15 + "type" => "Multikey", 16 16 + "controller" => "did:plc:abc123", 17 17 + "publicKeyMultibase" => @p256_multikey 18 18 + } 19 19 + ], 20 20 + "service" => [ 21 21 + %{ 22 22 + "id" => "did:plc:abc123#atproto_pds", 23 23 + "type" => "AtprotoPersonalDataServer", 24 24 + "serviceEndpoint" => "https://pds.example.com" 25 25 + } 26 26 + ] 27 27 + } 28 28 + 29 29 + describe "new/1" do 30 30 + test "parses a complete document" do 31 31 + assert {:ok, doc} = Document.new(@valid_doc) 32 32 + assert doc.id == "did:plc:abc123" 33 33 + assert doc.also_known_as == ["at://alice.example.com"] 34 34 + assert [%VerificationMethod{}] = doc.verification_method 35 35 + assert [%Service{}] = doc.service 36 36 + end 37 37 + 38 38 + test "converts verification_method public keys to JWK" do 39 39 + assert {:ok, doc} = Document.new(@valid_doc) 40 40 + [vm] = doc.verification_method 41 41 + assert %JOSE.JWK{} = vm.public_key_jwk 42 42 + end 43 43 + 44 44 + test "accepts documents with no optional fields" do 45 45 + assert {:ok, doc} = 46 46 + Document.new(%{ 47 47 + "@context" => ["https://www.w3.org/ns/did/v1"], 48 48 + "id" => "did:plc:abc123" 49 49 + }) 50 50 + 51 51 + assert doc.id == "did:plc:abc123" 52 52 + assert is_nil(doc.verification_method) or doc.verification_method == [] 53 53 + end 54 54 + 55 55 + test "returns error when required @context is missing" do 56 56 + assert {:error, _} = Document.new(%{"id" => "did:plc:abc123"}) 57 57 + end 58 58 + 59 59 + test "drops unparseable verification_method entries silently" do 60 60 + doc_with_bad_vm = 61 61 + Map.put(@valid_doc, "verificationMethod", [ 62 62 + %{"type" => "Multikey"}, 63 63 + %{ 64 64 + "id" => "did:plc:abc123#atproto", 65 65 + "type" => "Multikey", 66 66 + "controller" => "did:plc:abc123", 67 67 + "publicKeyMultibase" => @p256_multikey 68 68 + } 69 69 + ]) 70 70 + 71 71 + assert {:ok, doc} = Document.new(doc_with_bad_vm) 72 72 + assert length(doc.verification_method) == 1 73 73 + end 74 74 + end 75 75 + 76 76 + describe "validate_for_atproto/2" do 77 77 + test "returns :ok for a valid document" do 78 78 + assert {:ok, doc} = Document.new(@valid_doc) 79 79 + assert :ok = Document.validate_for_atproto(doc, "did:plc:abc123") 80 80 + end 81 81 + 82 82 + test "returns {:error, :id_mismatch} when id does not match" do 83 83 + assert {:ok, doc} = Document.new(@valid_doc) 84 84 + assert {:error, :id_mismatch} = Document.validate_for_atproto(doc, "did:plc:other") 85 85 + end 86 86 + 87 87 + test "returns {:error, :no_signing_key} when atproto vm is missing" do 88 88 + doc_no_key = Map.put(@valid_doc, "verificationMethod", []) 89 89 + assert {:ok, doc} = Document.new(doc_no_key) 90 90 + assert {:error, :no_signing_key} = Document.validate_for_atproto(doc, "did:plc:abc123") 91 91 + end 92 92 + 93 93 + test "returns {:error, :invalid_pds} when PDS service is missing" do 94 94 + doc_no_pds = Map.put(@valid_doc, "service", []) 95 95 + assert {:ok, doc} = Document.new(doc_no_pds) 96 96 + assert {:error, :invalid_pds} = Document.validate_for_atproto(doc, "did:plc:abc123") 97 97 + end 98 98 + 99 99 + test "returns {:error, :invalid_pds} for PDS with a path component" do 100 100 + doc_bad_pds = 101 101 + Map.put(@valid_doc, "service", [ 102 102 + %{ 103 103 + "id" => "did:plc:abc123#atproto_pds", 104 104 + "type" => "AtprotoPersonalDataServer", 105 105 + "serviceEndpoint" => "https://pds.example.com/path" 106 106 + } 107 107 + ]) 108 108 + 109 109 + assert {:ok, doc} = Document.new(doc_bad_pds) 110 110 + assert {:error, :invalid_pds} = Document.validate_for_atproto(doc, "did:plc:abc123") 111 111 + end 112 112 + end 113 113 + 114 114 + describe "get_atproto_handle/1" do 115 115 + test "returns the handle from alsoKnownAs" do 116 116 + assert {:ok, doc} = Document.new(@valid_doc) 117 117 + assert Document.get_atproto_handle(doc) == "alice.example.com" 118 118 + end 119 119 + 120 120 + test "returns nil when alsoKnownAs is nil" do 121 121 + assert {:ok, doc} = Document.new(Map.delete(@valid_doc, "alsoKnownAs")) 122 122 + assert is_nil(Document.get_atproto_handle(doc)) 123 123 + end 124 124 + 125 125 + test "returns nil when no at:// URI is present" do 126 126 + doc_no_handle = Map.put(@valid_doc, "alsoKnownAs", ["https://example.com"]) 127 127 + assert {:ok, doc} = Document.new(doc_no_handle) 128 128 + assert is_nil(Document.get_atproto_handle(doc)) 129 129 + end 130 130 + 131 131 + test "returns the first valid at:// handle" do 132 132 + doc_multi = 133 133 + Map.put(@valid_doc, "alsoKnownAs", [ 134 134 + "https://example.com", 135 135 + "at://first.example.com", 136 136 + "at://second.example.com" 137 137 + ]) 138 138 + 139 139 + assert {:ok, doc} = Document.new(doc_multi) 140 140 + assert Document.get_atproto_handle(doc) == "first.example.com" 141 141 + end 142 142 + end 143 143 + 144 144 + describe "get_pds_endpoint/1" do 145 145 + test "returns the PDS endpoint" do 146 146 + assert {:ok, doc} = Document.new(@valid_doc) 147 147 + assert Document.get_pds_endpoint(doc) == "https://pds.example.com" 148 148 + end 149 149 + 150 150 + test "returns nil when no PDS service is present" do 151 151 + assert {:ok, doc} = Document.new(Map.put(@valid_doc, "service", [])) 152 152 + assert is_nil(Document.get_pds_endpoint(doc)) 153 153 + end 154 154 + end 155 155 + 156 156 + describe "get_atproto_signing_key/1" do 157 157 + test "returns the signing key as a JOSE.JWK" do 158 158 + assert {:ok, doc} = Document.new(@valid_doc) 159 159 + assert %JOSE.JWK{} = Document.get_atproto_signing_key(doc) 160 160 + end 161 161 + 162 162 + test "returns nil when no atproto vm is present" do 163 163 + assert {:ok, doc} = Document.new(Map.put(@valid_doc, "verificationMethod", [])) 164 164 + assert is_nil(Document.get_atproto_signing_key(doc)) 165 165 + end 166 166 + end 167 167 + 168 168 + describe "to_json/1" do 169 169 + test "produces camelCase keys" do 170 170 + assert {:ok, doc} = Document.new(@valid_doc) 171 171 + json = Document.to_json(doc) 172 172 + 173 173 + assert json["id"] == "did:plc:abc123" 174 174 + assert json["alsoKnownAs"] == ["at://alice.example.com"] 175 175 + assert [vm_json] = json["verificationMethod"] 176 176 + assert vm_json["type"] == "Multikey" 177 177 + assert [svc_json] = json["service"] 178 178 + assert svc_json["serviceEndpoint"] == "https://pds.example.com" 179 179 + 180 180 + refute Map.has_key?(json, "also_known_as") 181 181 + refute Map.has_key?(json, "verification_method") 182 182 + refute Map.has_key?(json, "service_endpoint") 183 183 + end 184 184 + 185 185 + test "omits nil optional fields" do 186 186 + assert {:ok, doc} = 187 187 + Document.new(%{ 188 188 + "@context" => ["https://www.w3.org/ns/did/v1"], 189 189 + "id" => "did:plc:minimal" 190 190 + }) 191 191 + 192 192 + json = Document.to_json(doc) 193 193 + refute Map.has_key?(json, "alsoKnownAs") 194 194 + refute Map.has_key?(json, "verificationMethod") 195 195 + refute Map.has_key?(json, "service") 196 196 + refute Map.has_key?(json, "controller") 197 197 + end 198 198 + 199 199 + test "verification methods in to_json are valid for re-parsing" do 200 200 + assert {:ok, doc} = Document.new(@valid_doc) 201 201 + json = Document.to_json(doc) 202 202 + assert {:ok, _doc2} = Document.new(json) 203 203 + end 204 204 + end 205 205 + end