-2

cmd/hold/main.go

reviewed

··· 82 82 http.NotFound(w, r) 83 83 }) 84 84 85 85 - mux.HandleFunc("/health", service.HealthHandler) 86 86 - mux.HandleFunc("/register", service.HandleRegister) 87 85 mux.HandleFunc("/presigned-url", service.HandlePresignedURL) 88 86 mux.HandleFunc("/move", service.HandleMove) 89 87

+675

docs/XRPC_BLOB_MIGRATION.md

reviewed

··· 1 1 + # XRPC Blob Upload Migration 2 2 + 3 3 + This document describes how to migrate from separate legacy multipart upload endpoints to a unified `com.atproto.repo.uploadBlob` endpoint that supports both standard single-blob uploads and OCI container layer multipart uploads. 4 4 + 5 5 + ## Current State 6 6 + 7 7 + ### Legacy HTTP Endpoints (cmd/hold/main.go) 8 8 + 9 9 + ```go 10 10 + // Multipart upload endpoints 11 11 + mux.HandleFunc("/start-multipart", service.HandleStartMultipart) 12 12 + mux.HandleFunc("/part-presigned-url", service.HandleGetPartURL) 13 13 + mux.HandleFunc("/complete-multipart", service.HandleCompleteMultipart) 14 14 + mux.HandleFunc("/abort-multipart", service.HandleAbortMultipart) 15 15 + 16 16 + // Buffered part upload (when presigned URLs unavailable) 17 17 + mux.HandleFunc("/multipart-parts/", func(w http.ResponseWriter, r *http.Request) { 18 18 + // Parse URL: /multipart-parts/{uploadID}/{partNumber} 19 19 + // ... 20 20 + service.HandleMultipartPartUpload(w, r, uploadID, partNumber, did, service.MultipartMgr) 21 21 + }) 22 22 + ``` 23 23 + 24 24 + ### Existing XRPC Endpoint (pkg/hold/pds/xrpc.go) 25 25 + 26 26 + ```go 27 27 + // Current implementation - redirects to presigned URL 28 28 + func (h *XRPCHandler) HandleUploadBlob(w http.ResponseWriter, r *http.Request) { 29 29 + digest := r.URL.Query().Get("digest") 30 30 + uploadURL, err := h.blobStore.GetPresignedUploadURL(digest) 31 31 + http.Redirect(w, r, uploadURL, http.StatusFound) 32 32 + } 33 33 + ``` 34 34 + 35 35 + ### Supporting Code 36 36 + 37 37 + **pkg/hold/multipart.go:** 38 38 + - `MultipartManager` - Tracks upload sessions 39 39 + - `MultipartSession` - State for each upload (parts, mode, etc.) 40 40 + - Modes: `S3Native` (presigned URLs), `Buffered` (proxy uploads) 41 41 + 42 42 + **pkg/hold/blobstore_adapter.go:** 43 43 + - `HoldServiceBlobStore` - Adapter wrapping HoldService for XRPC handlers 44 44 + - Implements presigned URL generation 45 45 + - Currently not used by XRPC handlers 46 46 + 47 47 + **pkg/hold/handlers.go:** 48 48 + - `HandleStartMultipart()` - Starts upload, returns uploadID 49 49 + - `HandleGetPartURL()` - Returns presigned URL for part 50 50 + - `HandleCompleteMultipart()` - Finalizes upload, assembles parts 51 51 + - `HandleAbortMultipart()` - Cancels upload 52 52 + - `HandleMultipartPartUpload()` - Buffered part upload fallback 53 53 + 54 54 + ## New Unified Design 55 55 + 56 56 + ### Single Endpoint: `com.atproto.repo.uploadBlob` 57 57 + 58 58 + Content-Type discrimination determines operation: 59 59 + - `application/octet-stream` → Standard blob upload (profile images, small media) 60 60 + - `application/json` → Multipart operations (large OCI layers) 61 61 + 62 62 + ### API Specification 63 63 + 64 64 + #### Standard Single Upload (ATProto Spec Compliant) 65 65 + 66 66 + ``` 67 67 + POST /xrpc/com.atproto.repo.uploadBlob 68 68 + Content-Type: application/octet-stream 69 69 + 70 70 + [raw blob bytes] 71 71 + 72 72 + Response (200 OK): 73 73 + { 74 74 + "blob": { 75 75 + "$type": "blob", 76 76 + "ref": { 77 77 + "$link": "bafyreib..." // CID 78 78 + }, 79 79 + "mimeType": "application/octet-stream", 80 80 + "size": 12345 81 81 + } 82 82 + } 83 83 + ``` 84 84 + 85 85 + **Use case:** Profile images, small media (< 10MB), standard ATProto blobs 86 86 + 87 87 + #### Multipart Start (ATCR Extension) 88 88 + 89 89 + ``` 90 90 + POST /xrpc/com.atproto.repo.uploadBlob 91 91 + Content-Type: application/json 92 92 + 93 93 + { 94 94 + "action": "start", 95 95 + "digest": "sha256:abc123...", 96 96 + "size": 1234567890 // Optional hint for storage allocation 97 97 + } 98 98 + 99 99 + Response (200 OK): 100 100 + { 101 101 + "uploadId": "upload-1634567890", 102 102 + "expiresAt": "2025-10-16T12:00:00Z", 103 103 + "mode": "s3-native" // or "buffered" 104 104 + } 105 105 + ``` 106 106 + 107 107 + **Implementation:** 108 108 + - Calls `service.StartMultipartUploadWithManager(ctx, digest, multipartMgr)` 109 109 + - Returns uploadID and mode from MultipartSession 110 110 + 111 111 + #### Multipart Get Part URL (ATCR Extension) 112 112 + 113 113 + ``` 114 114 + POST /xrpc/com.atproto.repo.uploadBlob 115 115 + Content-Type: application/json 116 116 + 117 117 + { 118 118 + "action": "part", 119 119 + "uploadId": "upload-1634567890", 120 120 + "partNumber": 1, 121 121 + "digest": "sha256:abc123..." 122 122 + } 123 123 + 124 124 + Response (200 OK): 125 125 + { 126 126 + "url": "https://s3.amazonaws.com/bucket/...?X-Amz-...", 127 127 + "expiresAt": "2025-10-16T12:15:00Z", 128 128 + "method": "PUT" 129 129 + } 130 130 + 131 131 + // OR for buffered mode: 132 132 + { 133 133 + "url": "https://hold01.atcr.io/xrpc/com.atproto.repo.uploadBlob", 134 134 + "method": "PUT", 135 135 + "headers": { 136 136 + "X-Upload-Id": "upload-1634567890", 137 137 + "X-Part-Number": "1" 138 138 + }, 139 139 + "expiresAt": "2025-10-16T12:15:00Z" 140 140 + } 141 141 + ``` 142 142 + 143 143 + **Implementation:** 144 144 + - Retrieve session: `multipartMgr.GetSession(uploadID)` 145 145 + - S3Native mode: Call `service.GetPartUploadURL(ctx, session, partNumber, did)` 146 146 + - Buffered mode: Return self-referential URL with headers 147 147 + 148 148 + #### Multipart Upload Part (Buffered Mode) 149 149 + 150 150 + ``` 151 151 + PUT /xrpc/com.atproto.repo.uploadBlob 152 152 + Content-Type: application/octet-stream 153 153 + X-Upload-Id: upload-1634567890 154 154 + X-Part-Number: 1 155 155 + 156 156 + [part data bytes] 157 157 + 158 158 + Response (200 OK): 159 159 + { 160 160 + "etag": "abc123def456", 161 161 + "partNumber": 1 162 162 + } 163 163 + ``` 164 164 + 165 165 + **Implementation:** 166 166 + - Extract headers: `X-Upload-Id`, `X-Part-Number` 167 167 + - Call `service.HandleMultipartPartUpload(w, r, uploadID, partNumber, did, multipartMgr)` 168 168 + - Return ETag for completion 169 169 + 170 170 + #### Multipart Complete (ATCR Extension) 171 171 + 172 172 + ``` 173 173 + POST /xrpc/com.atproto.repo.uploadBlob 174 174 + Content-Type: application/json 175 175 + 176 176 + { 177 177 + "action": "complete", 178 178 + "uploadId": "upload-1634567890", 179 179 + "digest": "sha256:abc123...", 180 180 + "parts": [ 181 181 + { "partNumber": 1, "etag": "abc123" }, 182 182 + { "partNumber": 2, "etag": "def456" } 183 183 + ] 184 184 + } 185 185 + 186 186 + Response (200 OK): 187 187 + { 188 188 + "status": "completed", 189 189 + "blob": { 190 190 + "$type": "blob", 191 191 + "ref": { 192 192 + "$link": "bafyreib..." // CID computed from digest 193 193 + }, 194 194 + "mimeType": "application/octet-stream", 195 195 + "size": 1234567890 196 196 + } 197 197 + } 198 198 + ``` 199 199 + 200 200 + **Implementation:** 201 201 + - Retrieve session: `multipartMgr.GetSession(uploadID)` 202 202 + - For S3Native: Record parts via `session.RecordS3Part()` 203 203 + - Call `service.CompleteMultipartUploadWithManager(ctx, session, multipartMgr)` 204 204 + - Convert digest to CID for response 205 205 + 206 206 + #### Multipart Abort (ATCR Extension) 207 207 + 208 208 + ``` 209 209 + POST /xrpc/com.atproto.repo.uploadBlob 210 210 + Content-Type: application/json 211 211 + 212 212 + { 213 213 + "action": "abort", 214 214 + "uploadId": "upload-1634567890", 215 215 + "digest": "sha256:abc123..." 216 216 + } 217 217 + 218 218 + Response (200 OK): 219 219 + { 220 220 + "status": "aborted" 221 221 + } 222 222 + ``` 223 223 + 224 224 + **Implementation:** 225 225 + - Retrieve session: `multipartMgr.GetSession(uploadID)` 226 226 + - Call `service.AbortMultipartUploadWithManager(ctx, session, multipartMgr)` 227 227 + 228 228 + ## Implementation Strategy 229 229 + 230 230 + ### Phase 1: Add Unified Handler (Keep Legacy Endpoints) 231 231 + 232 232 + **File:** `pkg/hold/pds/xrpc.go` 233 233 + 234 234 + ```go 235 235 + // HandleUploadBlob unified handler supporting both single and multipart uploads 236 236 + func (h *XRPCHandler) HandleUploadBlob(w http.ResponseWriter, r *http.Request) { 237 237 + if r.Method != http.MethodPost && r.Method != http.MethodPut { 238 238 + http.Error(w, "method not allowed", http.StatusMethodNotAllowed) 239 239 + return 240 240 + } 241 241 + 242 242 + contentType := r.Header.Get("Content-Type") 243 243 + 244 244 + // Buffered multipart part upload (PUT with headers) 245 245 + if r.Method == http.MethodPut && r.Header.Get("X-Upload-Id") != "" { 246 246 + h.handleBufferedPartUpload(w, r) 247 247 + return 248 248 + } 249 249 + 250 250 + // Multipart operations (JSON body) 251 251 + if strings.Contains(contentType, "application/json") { 252 252 + h.handleMultipartOperation(w, r) 253 253 + return 254 254 + } 255 255 + 256 256 + // Standard single blob upload (raw bytes) 257 257 + h.handleSingleBlobUpload(w, r) 258 258 + } 259 259 + 260 260 + func (h *XRPCHandler) handleMultipartOperation(w http.ResponseWriter, r *http.Request) { 261 261 + var req struct { 262 262 + Action string `json:"action"` 263 263 + Digest string `json:"digest,omitempty"` 264 264 + Size int64 `json:"size,omitempty"` 265 265 + UploadID string `json:"uploadId,omitempty"` 266 266 + PartNumber int `json:"partNumber,omitempty"` 267 267 + Parts []struct { 268 268 + PartNumber int `json:"partNumber"` 269 269 + ETag string `json:"etag"` 270 270 + } `json:"parts,omitempty"` 271 271 + } 272 272 + 273 273 + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { 274 274 + http.Error(w, fmt.Sprintf("invalid JSON: %v", err), http.StatusBadRequest) 275 275 + return 276 276 + } 277 277 + 278 278 + // TODO: Add authentication check 279 279 + // user, err := ValidateDPoPRequest(r) 280 280 + 281 281 + ctx := r.Context() 282 282 + 283 283 + switch req.Action { 284 284 + case "start": 285 285 + h.handleMultipartStart(w, r, req.Digest, req.Size) 286 286 + case "part": 287 287 + h.handleMultipartPart(w, r, req.UploadID, req.PartNumber, req.Digest) 288 288 + case "complete": 289 289 + h.handleMultipartComplete(w, r, req.UploadID, req.Digest, req.Parts) 290 290 + case "abort": 291 291 + h.handleMultipartAbort(w, r, req.UploadID, req.Digest) 292 292 + default: 293 293 + http.Error(w, "invalid action", http.StatusBadRequest) 294 294 + } 295 295 + } 296 296 + 297 297 + func (h *XRPCHandler) handleMultipartStart(w http.ResponseWriter, r *http.Request, digest string, size int64) { 298 298 + ctx := r.Context() 299 299 + 300 300 + // Use HoldService multipart manager 301 301 + // Note: h.blobStore is HoldServiceBlobStore which wraps the service 302 302 + uploadID, mode, err := h.blobStore.StartMultipart(ctx, digest, size) 303 303 + if err != nil { 304 304 + http.Error(w, fmt.Sprintf("failed to start upload: %v", err), http.StatusInternalServerError) 305 305 + return 306 306 + } 307 307 + 308 308 + response := map[string]any{ 309 309 + "uploadId": uploadID, 310 310 + "expiresAt": time.Now().Add(24 * time.Hour), 311 311 + "mode": mode, // "s3-native" or "buffered" 312 312 + } 313 313 + 314 314 + w.Header().Set("Content-Type", "application/json") 315 315 + json.NewEncoder(w).Encode(response) 316 316 + } 317 317 + 318 318 + func (h *XRPCHandler) handleMultipartPart(w http.ResponseWriter, r *http.Request, uploadID string, partNumber int, digest string) { 319 319 + ctx := r.Context() 320 320 + 321 321 + // Get part upload URL (presigned S3 or buffered endpoint) 322 322 + partURL, err := h.blobStore.GetPartUploadURL(ctx, uploadID, partNumber, digest) 323 323 + if err != nil { 324 324 + http.Error(w, fmt.Sprintf("failed to get part URL: %v", err), http.StatusInternalServerError) 325 325 + return 326 326 + } 327 327 + 328 328 + response := map[string]any{ 329 329 + "url": partURL, 330 330 + "expiresAt": time.Now().Add(15 * time.Minute), 331 331 + "method": "PUT", 332 332 + } 333 333 + 334 334 + w.Header().Set("Content-Type", "application/json") 335 335 + json.NewEncoder(w).Encode(response) 336 336 + } 337 337 + 338 338 + func (h *XRPCHandler) handleMultipartComplete(w http.ResponseWriter, r *http.Request, uploadID string, digest string, parts []struct{ PartNumber int; ETag string }) { 339 339 + ctx := r.Context() 340 340 + 341 341 + // Convert parts format 342 342 + completedParts := make([]hold.CompletedPart, len(parts)) 343 343 + for i, p := range parts { 344 344 + completedParts[i] = hold.CompletedPart{ 345 345 + PartNumber: p.PartNumber, 346 346 + ETag: p.ETag, 347 347 + } 348 348 + } 349 349 + 350 350 + // Complete upload 351 351 + if err := h.blobStore.CompleteMultipart(ctx, uploadID, digest, completedParts); err != nil { 352 352 + http.Error(w, fmt.Sprintf("failed to complete upload: %v", err), http.StatusInternalServerError) 353 353 + return 354 354 + } 355 355 + 356 356 + // Convert digest to CID for ATProto response format 357 357 + cid, err := digestToCID(digest) 358 358 + if err != nil { 359 359 + http.Error(w, fmt.Sprintf("failed to generate CID: %v", err), http.StatusInternalServerError) 360 360 + return 361 361 + } 362 362 + 363 363 + response := map[string]any{ 364 364 + "status": "completed", 365 365 + "blob": map[string]any{ 366 366 + "$type": "blob", 367 367 + "ref": map[string]any{ 368 368 + "$link": cid.String(), 369 369 + }, 370 370 + "mimeType": "application/octet-stream", 371 371 + // Size would need to be tracked in session 372 372 + }, 373 373 + } 374 374 + 375 375 + w.Header().Set("Content-Type", "application/json") 376 376 + json.NewEncoder(w).Encode(response) 377 377 + } 378 378 + 379 379 + func (h *XRPCHandler) handleMultipartAbort(w http.ResponseWriter, r *http.Request, uploadID string, digest string) { 380 380 + ctx := r.Context() 381 381 + 382 382 + if err := h.blobStore.AbortMultipart(ctx, uploadID, digest); err != nil { 383 383 + http.Error(w, fmt.Sprintf("failed to abort upload: %v", err), http.StatusInternalServerError) 384 384 + return 385 385 + } 386 386 + 387 387 + response := map[string]any{ 388 388 + "status": "aborted", 389 389 + } 390 390 + 391 391 + w.Header().Set("Content-Type", "application/json") 392 392 + json.NewEncoder(w).Encode(response) 393 393 + } 394 394 + 395 395 + func (h *XRPCHandler) handleBufferedPartUpload(w http.ResponseWriter, r *http.Request) { 396 396 + uploadID := r.Header.Get("X-Upload-Id") 397 397 + partNumberStr := r.Header.Get("X-Part-Number") 398 398 + 399 399 + partNumber, err := strconv.Atoi(partNumberStr) 400 400 + if err != nil { 401 401 + http.Error(w, "invalid part number", http.StatusBadRequest) 402 402 + return 403 403 + } 404 404 + 405 405 + // Stream part data to storage 406 406 + etag, err := h.blobStore.UploadPart(r.Context(), uploadID, partNumber, r.Body) 407 407 + if err != nil { 408 408 + http.Error(w, fmt.Sprintf("failed to upload part: %v", err), http.StatusInternalServerError) 409 409 + return 410 410 + } 411 411 + 412 412 + response := map[string]any{ 413 413 + "etag": etag, 414 414 + "partNumber": partNumber, 415 415 + } 416 416 + 417 417 + w.Header().Set("Content-Type", "application/json") 418 418 + json.NewEncoder(w).Encode(response) 419 419 + } 420 420 + 421 421 + func (h *XRPCHandler) handleSingleBlobUpload(w http.ResponseWriter, r *http.Request) { 422 422 + // Standard ATProto uploadBlob behavior 423 423 + // Read blob data 424 424 + data, err := io.ReadAll(r.Body) 425 425 + if err != nil { 426 426 + http.Error(w, "failed to read blob", http.StatusInternalServerError) 427 427 + return 428 428 + } 429 429 + 430 430 + // Upload to storage (single operation) 431 431 + cid, size, err := h.blobStore.UploadBlob(r.Context(), bytes.NewReader(data)) 432 432 + if err != nil { 433 433 + http.Error(w, fmt.Sprintf("failed to upload blob: %v", err), http.StatusInternalServerError) 434 434 + return 435 435 + } 436 436 + 437 437 + // Standard ATProto blob response format 438 438 + response := map[string]any{ 439 439 + "blob": map[string]any{ 440 440 + "$type": "blob", 441 441 + "ref": map[string]any{ 442 442 + "$link": cid.String(), 443 443 + }, 444 444 + "mimeType": "application/octet-stream", 445 445 + "size": size, 446 446 + }, 447 447 + } 448 448 + 449 449 + w.Header().Set("Content-Type", "application/json") 450 450 + json.NewEncoder(w).Encode(response) 451 451 + } 452 452 + 453 453 + // digestToCID converts OCI digest (sha256:abc...) to ATProto CID 454 454 + func digestToCID(digest string) (cid.Cid, error) { 455 455 + // Implementation in pkg/hold/cid.go or similar 456 456 + // Strip "sha256:" prefix, decode hex, construct CIDv1 with sha256 multihash 457 457 + return cid.Undef, fmt.Errorf("not implemented") 458 458 + } 459 459 + ``` 460 460 + 461 461 + ### Phase 2: Extend HoldServiceBlobStore (pkg/hold/blobstore_adapter.go) 462 462 + 463 463 + The `HoldServiceBlobStore` currently wraps HoldService for presigned URLs. Extend it to support multipart operations: 464 464 + 465 465 + ```go 466 466 + // Add multipart methods to HoldServiceBlobStore 467 467 + 468 468 + func (h *HoldServiceBlobStore) StartMultipart(ctx context.Context, digest string, size int64) (uploadID string, mode string, err error) { 469 469 + uploadID, uploadMode, err := h.service.StartMultipartUploadWithManager(ctx, digest, h.service.MultipartMgr) 470 470 + if err != nil { 471 471 + return "", "", err 472 472 + } 473 473 + 474 474 + modeStr := "s3-native" 475 475 + if uploadMode == hold.Buffered { 476 476 + modeStr = "buffered" 477 477 + } 478 478 + 479 479 + return uploadID, modeStr, nil 480 480 + } 481 481 + 482 482 + func (h *HoldServiceBlobStore) GetPartUploadURL(ctx context.Context, uploadID string, partNumber int, digest string) (string, error) { 483 483 + session, err := h.service.MultipartMgr.GetSession(uploadID) 484 484 + if err != nil { 485 485 + return "", err 486 486 + } 487 487 + 488 488 + // For S3Native: return presigned URL 489 489 + // For Buffered: return self-referential URL with upload instructions 490 490 + if session.Mode == hold.S3Native { 491 491 + return h.service.GetPartUploadURL(ctx, session, partNumber, h.holdDID) 492 492 + } 493 493 + 494 494 + // Buffered mode: client will PUT to uploadBlob with headers 495 495 + return fmt.Sprintf("%s/xrpc/com.atproto.repo.uploadBlob", h.publicURL), nil 496 496 + } 497 497 + 498 498 + func (h *HoldServiceBlobStore) UploadPart(ctx context.Context, uploadID string, partNumber int, data io.Reader) (string, error) { 499 499 + // Buffered part upload - streams data to storage 500 500 + // Used when client PUTs to uploadBlob with X-Upload-Id header 501 501 + session, err := h.service.MultipartMgr.GetSession(uploadID) 502 502 + if err != nil { 503 503 + return "", err 504 504 + } 505 505 + 506 506 + // Stream to storage, return ETag 507 507 + // This wraps HandleMultipartPartUpload logic 508 508 + etag, err := h.service.UploadPartBuffered(ctx, session, partNumber, data) 509 509 + return etag, err 510 510 + } 511 511 + 512 512 + func (h *HoldServiceBlobStore) CompleteMultipart(ctx context.Context, uploadID string, digest string, parts []hold.CompletedPart) error { 513 513 + session, err := h.service.MultipartMgr.GetSession(uploadID) 514 514 + if err != nil { 515 515 + return err 516 516 + } 517 517 + 518 518 + // For S3Native: record parts ETags 519 519 + if session.Mode == hold.S3Native { 520 520 + for _, p := range parts { 521 521 + session.RecordS3Part(p.PartNumber, p.ETag, 0) 522 522 + } 523 523 + } 524 524 + 525 525 + return h.service.CompleteMultipartUploadWithManager(ctx, session, h.service.MultipartMgr) 526 526 + } 527 527 + 528 528 + func (h *HoldServiceBlobStore) AbortMultipart(ctx context.Context, uploadID string, digest string) error { 529 529 + session, err := h.service.MultipartMgr.GetSession(uploadID) 530 530 + if err != nil { 531 531 + return err 532 532 + } 533 533 + 534 534 + return h.service.AbortMultipartUploadWithManager(ctx, session, h.service.MultipartMgr) 535 535 + } 536 536 + 537 537 + func (h *HoldServiceBlobStore) UploadBlob(ctx context.Context, data io.Reader) (cid.Cid, int64, error) { 538 538 + // Single blob upload for standard ATProto use case 539 539 + // Compute digest, store via service driver 540 540 + // Return CID and size 541 541 + // Implementation TBD 542 542 + return cid.Undef, 0, fmt.Errorf("not implemented") 543 543 + } 544 544 + ``` 545 545 + 546 546 + ### Phase 3: Update AppView Client (pkg/appview/storage/) 547 547 + 548 548 + Create new XRPC client or update ProxyBlobStore to use unified endpoint: 549 549 + 550 550 + ```go 551 551 + // In ProxyBlobStore or new XRPCBlobStore 552 552 + 553 553 + func (p *ProxyBlobStore) startMultipartUpload(ctx context.Context, digest string) (string, error) { 554 554 + reqBody := map[string]any{ 555 555 + "action": "start", 556 556 + "digest": digest, 557 557 + } 558 558 + 559 559 + body, _ := json.Marshal(reqBody) 560 560 + url := fmt.Sprintf("%s/xrpc/com.atproto.repo.uploadBlob", p.storageEndpoint) 561 561 + req, _ := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(body)) 562 562 + req.Header.Set("Content-Type", "application/json") 563 563 + 564 564 + resp, err := p.httpClient.Do(req) 565 565 + // ... parse response, return uploadID 566 566 + } 567 567 + 568 568 + func (p *ProxyBlobStore) getPartPresignedURL(ctx context.Context, digest, uploadID string, partNumber int) (string, error) { 569 569 + reqBody := map[string]any{ 570 570 + "action": "part", 571 571 + "uploadId": uploadID, 572 572 + "partNumber": partNumber, 573 573 + "digest": digest, 574 574 + } 575 575 + 576 576 + body, _ := json.Marshal(reqBody) 577 577 + url := fmt.Sprintf("%s/xrpc/com.atproto.repo.uploadBlob", p.storageEndpoint) 578 578 + req, _ := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(body)) 579 579 + req.Header.Set("Content-Type", "application/json") 580 580 + 581 581 + resp, err := p.httpClient.Do(req) 582 582 + // ... parse response, return presigned URL 583 583 + } 584 584 + 585 585 + // Similar for complete, abort 586 586 + ``` 587 587 + 588 588 + ### Phase 4: Testing Period 589 589 + 590 590 + **During transition:** 591 591 + - Both legacy HTTP endpoints AND new XRPC endpoint active 592 592 + - AppView can use either based on configuration/feature flag 593 593 + - New deployments use XRPC 594 594 + - Old deployments continue with legacy 595 595 + 596 596 + **Detection logic:** 597 597 + ```go 598 598 + func (r *RoutingRepository) Blobs(ctx context.Context) distribution.BlobStore { 599 599 + // Try XRPC first (check for /.well-known/did.json) 600 600 + if supportsXRPC(storageEndpoint) { 601 601 + return NewXRPCBlobStore(storageEndpoint, ...) 602 602 + } 603 603 + // Fallback to legacy 604 604 + return NewProxyBlobStore(storageEndpoint, ...) 605 605 + } 606 606 + ``` 607 607 + 608 608 + ### Phase 5: Remove Legacy Endpoints 609 609 + 610 610 + Once all holds migrated and tested: 611 611 + 612 612 + **cmd/hold/main.go - Remove:** 613 613 + ```go 614 614 + // DELETE these lines 615 615 + mux.HandleFunc("/start-multipart", service.HandleStartMultipart) 616 616 + mux.HandleFunc("/part-presigned-url", service.HandleGetPartURL) 617 617 + mux.HandleFunc("/complete-multipart", service.HandleCompleteMultipart) 618 618 + mux.HandleFunc("/abort-multipart", service.HandleAbortMultipart) 619 619 + mux.HandleFunc("/multipart-parts/", ...) 620 620 + ``` 621 621 + 622 622 + **pkg/hold/handlers.go - Mark as deprecated:** 623 623 + ```go 624 624 + // Keep methods for now (used by service internals) 625 625 + // But remove HTTP handler wrappers 626 626 + ``` 627 627 + 628 628 + ## Key Design Decisions 629 629 + 630 630 + 1. **Content-Type discrimination**: Natural way to distinguish single vs multipart uploads 631 631 + 2. **JSON bodies for multipart**: Follows XRPC conventions (like putRecord, deleteRecord) 632 632 + 3. **Preserve standard uploadBlob**: Raw bytes still work for profile images, small media 633 633 + 4. **Reuse existing code**: HoldService multipart logic unchanged, just new HTTP layer 634 634 + 5. **Backward compatibility**: Both endpoints active during transition 635 635 + 6. **Action-based routing**: Clear, extensible JSON structure 636 636 + 637 637 + ## Benefits 638 638 + 639 639 + - ✅ Single endpoint for all blob operations 640 640 + - ✅ Standard ATProto uploadBlob preserved 641 641 + - ✅ XRPC-like JSON request/response 642 642 + - ✅ Reuses existing multipart.go logic 643 643 + - ✅ Gradual migration path 644 644 + - ✅ Less endpoints to maintain 645 645 + - ✅ Cleaner AppView client code 646 646 + 647 647 + ## Testing Checklist 648 648 + 649 649 + - [ ] Single blob upload (< 10MB, raw bytes) 650 650 + - [ ] Multipart start → part → complete flow 651 651 + - [ ] S3Native mode (presigned URLs) 652 652 + - [ ] Buffered mode (proxy uploads) 653 653 + - [ ] Multipart abort 654 654 + - [ ] Large blob upload (> 5GB, many parts) 655 655 + - [ ] Concurrent uploads 656 656 + - [ ] Upload resume after network failure 657 657 + - [ ] Legacy endpoint backward compatibility 658 658 + - [ ] AppView XRPC client integration 659 659 + - [ ] Performance comparison (XRPC vs legacy) 660 660 + 661 661 + ## Migration Timeline 662 662 + 663 663 + 1. **Week 1**: Implement unified uploadBlob handler (Phase 1-2) 664 664 + 2. **Week 2**: Update AppView client, feature flag (Phase 3) 665 665 + 3. **Week 3**: Deploy to dev/staging, test both paths (Phase 4) 666 666 + 4. **Week 4**: Roll out to production (gradual) 667 667 + 5. **Week 5-6**: Monitor, verify all holds migrated 668 668 + 6. **Week 7**: Remove legacy endpoints (Phase 5) 669 669 + 670 670 + ## References 671 671 + 672 672 + - ATProto uploadBlob spec: https://docs.bsky.app/docs/api/com-atproto-repo-upload-blob 673 673 + - XRPC conventions: https://atproto.com/specs/xrpc 674 674 + - Existing multipart implementation: pkg/hold/multipart.go 675 675 + - Blob store adapter: pkg/hold/blobstore_adapter.go

-91

pkg/hold/handlers.go

reviewed

··· 8 8 "log" 9 9 "net/http" 10 10 "time" 11 11 - 12 12 - "atcr.io/pkg/atproto" 13 11 ) 14 12 15 13 // PresignedURLOperation defines the type of presigned URL operation ··· 496 494 "status": "aborted", 497 495 }) 498 496 } 499 499 - 500 500 - // RegisterRequest represents a request to register this hold in a user's PDS 501 501 - type RegisterRequest struct { 502 502 - DID string `json:"did"` 503 503 - AccessToken string `json:"access_token"` 504 504 - PDSEndpoint string `json:"pds_endpoint"` 505 505 - } 506 506 - 507 507 - // RegisterResponse contains the registration result 508 508 - type RegisterResponse struct { 509 509 - HoldURI string `json:"hold_uri"` 510 510 - CrewURI string `json:"crew_uri"` 511 511 - Message string `json:"message"` 512 512 - } 513 513 - 514 514 - // HandleRegister registers this hold service in a user's PDS (manual endpoint) 515 515 - func (s *HoldService) HandleRegister(w http.ResponseWriter, r *http.Request) { 516 516 - if r.Method != http.MethodPost { 517 517 - http.Error(w, "method not allowed", http.StatusMethodNotAllowed) 518 518 - return 519 519 - } 520 520 - 521 521 - var req RegisterRequest 522 522 - if err := json.NewDecoder(r.Body).Decode(&req); err != nil { 523 523 - http.Error(w, fmt.Sprintf("invalid request: %v", err), http.StatusBadRequest) 524 524 - return 525 525 - } 526 526 - 527 527 - // Validate required fields 528 528 - if req.DID == "" || req.AccessToken == "" || req.PDSEndpoint == "" { 529 529 - http.Error(w, "missing required fields: did, access_token, pds_endpoint", http.StatusBadRequest) 530 530 - return 531 531 - } 532 532 - 533 533 - // Get public URL from config 534 534 - publicURL := s.config.Server.PublicURL 535 535 - if publicURL == "" { 536 536 - // Fallback to constructing URL from request 537 537 - scheme := "http" 538 538 - if r.TLS != nil { 539 539 - scheme = "https" 540 540 - } 541 541 - publicURL = fmt.Sprintf("%s://%s", scheme, r.Host) 542 542 - } 543 543 - 544 544 - // Derive hold name from URL 545 545 - holdName, err := extractHostname(publicURL) 546 546 - if err != nil { 547 547 - http.Error(w, fmt.Sprintf("failed to extract hostname: %v", err), http.StatusBadRequest) 548 548 - return 549 549 - } 550 550 - 551 551 - ctx := r.Context() 552 552 - 553 553 - // Create ATProto client with user's credentials 554 554 - client := atproto.NewClient(req.PDSEndpoint, req.DID, req.AccessToken) 555 555 - 556 556 - // Create HoldRecord 557 557 - holdRecord := atproto.NewHoldRecord(publicURL, req.DID, s.config.Server.Public) 558 558 - 559 559 - holdResult, err := client.PutRecord(ctx, atproto.HoldCollection, holdName, holdRecord) 560 560 - if err != nil { 561 561 - http.Error(w, fmt.Sprintf("failed to create hold record: %v", err), http.StatusInternalServerError) 562 562 - return 563 563 - } 564 564 - 565 565 - log.Printf("Created hold record: %s", holdResult.URI) 566 566 - 567 567 - // Create HoldCrewRecord for the owner 568 568 - crewRecord := atproto.NewHoldCrewRecord(holdResult.URI, req.DID, "owner") 569 569 - 570 570 - crewRKey := fmt.Sprintf("%s-%s", holdName, req.DID) 571 571 - crewResult, err := client.PutRecord(ctx, atproto.HoldCrewCollection, crewRKey, crewRecord) 572 572 - if err != nil { 573 573 - http.Error(w, fmt.Sprintf("failed to create crew record: %v", err), http.StatusInternalServerError) 574 574 - return 575 575 - } 576 576 - 577 577 - log.Printf("Created crew record: %s", crewResult.URI) 578 578 - 579 579 - resp := RegisterResponse{ 580 580 - HoldURI: holdResult.URI, 581 581 - CrewURI: crewResult.URI, 582 582 - Message: fmt.Sprintf("Successfully registered hold service. Storage endpoint: %s", publicURL), 583 583 - } 584 584 - 585 585 - w.Header().Set("Content-Type", "application/json") 586 586 - json.NewEncoder(w).Encode(resp) 587 587 - }

-40

pkg/hold/patterns.go

reviewed

··· 1 1 - package hold 2 2 - 3 3 - import ( 4 4 - "regexp" 5 5 - "strings" 6 6 - ) 7 7 - 8 8 - // matchPattern checks if a handle matches a pattern 9 9 - // Supports wildcards: "*" (all), "*.domain.com" (suffix), "prefix.*" (prefix), "*.mid.*" (contains) 10 10 - func matchPattern(pattern, handle string) bool { 11 11 - if pattern == "*" { 12 12 - // Wildcard matches all 13 13 - return true 14 14 - } 15 15 - 16 16 - // Convert glob to regex and match 17 17 - regex := globToRegex(pattern) 18 18 - matched, err := regexp.MatchString(regex, handle) 19 19 - if err != nil { 20 20 - // Log error but fail closed (don't grant access on regex error) 21 21 - return false 22 22 - } 23 23 - return matched 24 24 - } 25 25 - 26 26 - // globToRegex converts a glob pattern to a regex pattern 27 27 - // Examples: 28 28 - // - "*.example.com" → "^.*\.example\.com$" 29 29 - // - "subdomain.*" → "^subdomain\..*$" 30 30 - // - "*.bsky.*" → "^.*\.bsky\..*$" 31 31 - func globToRegex(pattern string) string { 32 32 - // Escape special regex characters (except *) 33 33 - escaped := regexp.QuoteMeta(pattern) 34 34 - 35 35 - // Replace escaped \* with .* 36 36 - regex := strings.ReplaceAll(escaped, "\\*", ".*") 37 37 - 38 38 - // Anchor to start and end 39 39 - return "^" + regex + "$" 40 40 - }

-7

pkg/hold/service.go

reviewed

··· 4 4 "context" 5 5 "fmt" 6 6 "log" 7 7 - "net/http" 8 7 "net/url" 9 8 10 9 "atcr.io/pkg/auth" ··· 94 93 return false 95 94 } 96 95 return allowed 97 97 - } 98 98 - 99 99 - // HealthHandler handles health check requests 100 100 - func (s *HoldService) HealthHandler(w http.ResponseWriter, r *http.Request) { 101 101 - w.Header().Set("Content-Type", "application/json") 102 102 - w.Write([]byte(`{"status":"ok"}`)) 103 96 } 104 97 105 98 // extractHostname extracts the hostname from a URL