···11import { staticPlugin } from "@elysiajs/static";
22import { Elysia } from "elysia";
33-import { isAuthEnabled } from "../atproto/env.ts";
33+import { getAtprotoEnv, getDevPdsUrl, isAuthEnabled } from "../atproto/env.ts";
44import { atprotoRoutes } from "../atproto/routes.ts";
55import { AppError } from "../lib/errors.ts";
66import { getDb } from "./db/index.ts";
···1414import { profileRoutes } from "./routes/profile.ts";
1515import { searchRoutes } from "./routes/search.ts";
1616import { wikiRoutes } from "./routes/wiki.ts";
1717+1818+// Dev and prod OAuth configurations must not coexist: the dev-session fallback
1919+// trusts a `did=` cookie without a password check, so a prod instance with
2020+// DEV_PDS_URL set would allow impersonation.
2121+if (getAtprotoEnv() !== null && getDevPdsUrl() !== null) {
2222+ throw new Error(
2323+ "Dev and prod OAuth configurations are mutually exclusive — unset DEV_PDS_URL or the OAuth env vars (PUBLIC_URL / OAUTH_PRIVATE_KEY_PATH).",
2424+ );
2525+}
17261827// Initialize database on startup
1928getDb();
+3-2
src/server/routes/blob.ts
···22import { join, resolve } from "node:path";
33import { Elysia } from "elysia";
44import { isAuthEnabled } from "../../atproto/env.ts";
55-import { getAgent, getSessionFromRequest } from "../../atproto/session.ts";
55+import { getAgent } from "../../atproto/session.ts";
66+import { resolveRequestContext } from "../../lib/access.ts";
67import { MIME_TO_EXT } from "../../lib/constants.ts";
78import { formatError } from "../../lib/errors.ts";
89import { resolvePdsEndpoint } from "../../lib/identity.ts";
···4142 });
4243 }
43444444- const session = await getSessionFromRequest(request);
4545+ const { session } = await resolveRequestContext(request);
45464647 if (!session && isAuthEnabled()) {
4748 return new Response(